Patient death linked to cyber attack on NHS pathology provider
- 26 June 2025
- The first patient death linked to the cyber attack last year on NHS pathology system provider Synnovis has been confirmed
- A spokesperson for Kingâs College Hospital NHS Foundation Trust said confirmed that "a number of contributing factors" to the death were identified, including a long wait for a blood test result" as a result of the cyber attack
- Synnovis chief executive Mark Dollar said the company is "deeply saddened" by the death
A patient death has been linked to the cyber attack on NHS pathology system provider Synnovis, Kingâs College Hospital NHS Foundation has confirmed.
The ransomware attack on 4 June 2024 caused widespread disruption to NHS services in London, with 10,152 acute outpatient appointments and 1,710 elective procedures postponed at Kingâs College Hospital NHS Foundation Trust and Guyâs and St Thomasâ NHS Foundation Trust, and delays to blood testing in primary care.
A spokesperson for Kingâs College Hospital told Digital Health News that one patient died unexpectedly during the cyber attack.
“As is standard practice when this happens, we undertook a detailed review of their care.
âThe patient safety incident investigation identified a number of contributing factors that led to the patientâs death.
âThis included a long wait for a blood test result as a result of the cyber attack impacting pathology services at the time.
“We have met with the patientâs family and shared the findings of the safety investigation with them,â the spokesperson said.
They added that the date of the death or personâs age cannot be confirmed due to confidentiality.
Responding to the news, Mark Dollar, chief executive at Synnovis, said: âWe are deeply saddened to hear that last yearâs criminal cyber attack has been identified as one of the contributing factors that led to this patientâs death.
“Our hearts go out to the family involved.â
Initial figures released by NHS South East London Integrated Care Board in November 2024, recorded five cases of moderate harm and 114 cases of low harm as a result of the attack, but did not report any cases of serious harm.
However, in January 2025 NHS data obtained by Bloomberg News revealed that healthcare professionals across at least four London boroughs recorded two cases of severe harm, 11 cases of moderate harm, and more than 120 cases of low harm as a direct consequence of the cyber attack.
Dr Saif Abed, founding partner and director of cybersecurity advisory services at The AbedGraham Group, told Digital Health News: “This tragedy, sadly, will not be unique and will be repeated again, likely at scale, in future unless political leadership re-prioritises the issue.
“I ask the health secretary to commission an independent, clinically focused review into NHS cybersecurity and patient safety.
“Likewise I ask the Health Select Committee to commence with an inquiry as a matter of urgency given the broken nature of the NHSâs digital supply chain.”
Digital Health News reported that the cyber attack on Synnovis could have been prevented by two-factor authentication.
Meanwhile, suppliers to the NHS have been urged by NHS England and the Department of Health and Social Care to sign a charter of cyber security best practice.
The charter, published on 15 May 2025, requests suppliers to take steps which include maintaining support for systems, applying patches to known vulnerabilities, applying multi-factor authentication to networks and systems, and keeping âimmutable backupsâ of critical business data.
In April 2025, the government published its plans for the Cyber Security and Resilience Bill, which is intended to prevent attacks similar to the Synnovis attack.
