NHS ransomware attack contributed to patient’s death

A person’s death was linked to ransomware attack on NHS Blood Services in London hospitals and general practitioners last June.

King’s College Hospital NHS Foundation Trust confirmed that a patient was “deceased unexpectedly” during the cyber attack on June 3, 2024, which disturbed more than 10,000 meetings.

A Trust spokesperson said that a number of contributory factors have led to the patient’s death, including “a long wait for a blood test”.

The data of patients managed by Synnovis, an agency that manages laboratories for NHS trusts and GPS in southeast London, was stolen during the incident.

A Trust spokesperson said that a detailed examination had been undertaken for the patient.

“The patient safety incident survey has identified a number of contributory factors that led to the patient’s death,” they said.

“This included a long wait for a blood test result due to the cyber attack which has an impact on the pathology services at the time.

“We met the patient’s family and shared the results of the safety survey with them.”

The spokesman added that they could not confirm the date of death or the age of the person, citing confidentiality.

Mark Dollar, managing director of Synnovis, said: “We are deeply saddened to learn that the criminal cyber attack from last year was identified as one of the contributory factors that led to the death of this patient.

“Our hearts go to the involved family.”

More than 10,000 meetings were canceled at the two London NHS trustees which were the most affected. A large number of GP practices in London could not order blood tests for their patients.

The Health Service Journal (HSJ) said that there were nearly 600 “incidents” linked to the attack, with the care of patients suffering in 170 of them. One case was of “serious” damage, 14 led to “moderate” damage and the others were identified as “low damage”, said HSJ.

According to NHS directives, serious damage occurs when patients are undergoing permanent damage; Need rescue care or could have reduced their life expectancy, among a number of other factors.

Deryck Mitchelson, of the cybersecurity company Check Point, said that the cyber attacks were more than a simple “disturbance” because they caused “damage to patients”.

Mr. Mitchelson, former director of the National Information Security Manager and Chief NHS of the NHS National Services Scotland, said that IT systems were not as safe as the weakest link in the chain.

“Death now confirmed is tragic, but it is not surprising. When systems underlying diagnosis and treatment are slaughtered, the consequences are not hypothetical. This is the real cost,” he said.

“It was not a faceless act. It was not only systems or data that you targeted – it was care. It was people. One of them now lost their lives. It should weigh heavily.”

Qilin, the cybercriminal group based in Russia, head of the attack, previously said that it was “sorry” for all the damage caused but “not to blame”.

The Ransomware gang spoke to the BBC in June 2024 on the encrypted cat service Qtox and tried to justify the attack as a form of political protest.

Qilin said that he had cyberatthe as revenge for the actions of the British government in an unhappy war.

Additional reports by Chris Vallance, BBC Technology.