Patient Death Linked to Cyberattack on British Pathology Clinic Synnovis

A ransomware attack on Synnovis, a key pathology services provider for the UK’s National Health Service, has been officially linked to a patient's death, underscoring the risks cyberattacks pose to healthcare systems.

In June 2024, the ransomware group Qilin targeted the London-based clinic, disrupting pathology services across several London hospitals, including King's College Hospital and Guy's and St Thomas' NHS Foundation Trusts.

The incident crippled Synnovis’s electronic health systems, leading to the cancellation of over 1,000 operations and outpatient appointments, and causing a critical shortage of O-type blood in London hospitals.

One patient death connected to the cyberattack

A recent investigation by King's College Hospital NHS Foundation Trust confirmed that a patient's death was partly due to a delay in blood test results caused by the cyberattack.

As reported by The Record, a spokesperson for King's College Hospital NHS Foundation Trust said that this delay was among “a number of contributing factors” that led to a patient’s death during the incident.

“One patient sadly died unexpectedly during the cyberattack. As is standard practice when this happens, we undertook a detailed review of their care,” reads to the statement. “The patient safety incident investigation identified a number of contributing factors that led to the patient’s death. This included a long wait for a blood test result due to the cyber-attack impacting pathology services at the time. We have met with the patient’s family, and shared the findings of the safety investigation with them.”

In a statement to the news outlet, Synnovis CEO Mark Dollar said: "We are deeply saddened to hear that last year’s criminal cyberattack has been identified as one of the contributing factors that led to this patient’s death. Our hearts go out to the family involved."

170 cases of patient harm related to the incident

The South East London Integrated Care Board reported 170 cases of patient harm related to the attack, with two classified as severe, involving long-term or permanent damage.

The ransomware group behind the attack released 400 GB of sensitive patient data online after their demands were not met.

The breach has prompted calls for an independent inquiry into NHS cybersecurity and patient safety.

Dr Saif Abed, a former NHS doctor, told the Financial Times he believed more patients had died in recent years than publicly reported because of data breaches.

Soon after the attack, the cybercriminal group Qilin told the BBC that it was “sorry” for the harm caused, but refused to accept blame, labeling its actions as a political protest in retaliation for the UK government’s actions in an unspecified war.

What to do if you’re a Synnovis customer

The Record notes that affected parties have still not been fully informed of what patient data was exposed in the incident.

According to some estimates, Qilin’s extortion tactics in the healthcare sector were backed by 900,000 patient records, including full patient names, and test results for STDs and cancer.

Most organizations are transparent and quick to inform customers about a data breach, but others may not react so quickly or decisively.

Ransomware criminals typically steal troves of data for later use in extortion or fraud before demanding ransom – especially in attacks on healthcare providers.

If you are a Synnovis customer, monitor communications from the healthcare provider. If your data is compromised in a breach, be cautious of suspicious emails or calls that cite your personal information. Standard cybersecurity advice is to verify sender identities and avoid clicking on unexpected links.

Bitdefender Digital Identity Protection lets you know if your data has been caught up in a breach, compromised, or leaked online, and it tells you what risks you face and how to protect yourself.

When in doubt about a suspicious text, phone call, or social media interaction, consult Scamio, our free scam-fighting bot.

For peace of mind, consider using a security solution on all your devices.

You may also want to read:

UK Fines 23andMe $3 Million Over 2023 Mega Breach

New Jersey Neurology Practice Fined $25,000 over Ransomware Incident

US Clinical Lab Tells 1.6 Million Customers to 'Protect' Their Data Following Cyberattack