Health

Ransomware attack on Synnovis linked to first NHS patient death from delayed blood test results

Wednesday, 25 June 2025 1:53PM UTC

A June 2024 cyberattack by Russian-linked group Qilin on Synnovis, the NHS pathology service provider, caused critical delays in blood testing across major London hospitals and led to the first confirmed patient death linked to disrupted medical diagnostics. The breach exposed fundamental security flaws and prompted urgent calls for improved NHS cybersecurity measures.

A ransomware cyber attack on Synnovis, a pathology services provider for the NHS in London, has been linked to the first confirmed patient death caused by delays in receiving blood test results. The June 2024 breach, attributed to the Russian-speaking cybercrime group Qilin, severely disrupted pathology services at major hospital trusts including King’s College Hospital, Guy’s and St Thomas’, and Lewisham and Greenwich hospitals, leading to widespread cancellations of thousands of surgeries and medical procedures.

King’s College Hospital Foundation Trust confirmed that one patient died unexpectedly during the period affected by the cyber attack. A detailed safety investigation identified multiple contributory factors surrounding the patient’s care, notably the delayed blood test results caused by the attack. The trust shared the findings with the patient’s family but withheld specifics about the individual’s identity or the date of death, citing confidentiality.

This ransomware attack, which infiltrated Synnovis’s systems by exploiting basic security flaws such as the lack of multi-factor authentication, encrypted critical data and rendered it inaccessible. The failure forced hospitals to revert to manual processes, as electronic transmission of test results was impossible. Staff had to rely on printed reports delivered by hospital porters, creating delays in diagnosis and treatment decisions that usually depend on swift blood test feedback. For a period of three months, vital procedures such as blood transfusions and blood matching were stalled, with hospitals forced to use universal blood types, depleting blood stocks and triggering a national appeal.

The South East London Integrated Care Board has identified 170 cases impacted by the attack, with most deemed to have caused low harm apart from the fatality. General Practitioners described the inability to access test results as “like flying blind,” illustrating the significant operational disruption faced by NHS and primary care services across six London boroughs.

The financial consequences for Synnovis have been severe, with losses estimated at £33 million, eclipsing the company’s previous annual profits. Synnovis is a public-private partnership, 51 percent owned by German pathology firm Synlab, with the remainder held by King’s College Hospital and Guy’s and St Thomas’. The company has stated it is working with IT security experts to bolster its defences and conduct rigorous testing. However, whether any ransom was paid to the hackers remains undisclosed due to “sensitivities.”

The attack has intensified calls from cybersecurity experts for an independent inquiry into NHS digital vulnerabilities and patient safety. Dr Saif Abed, a cybersecurity specialist, warned that the widely publicised death might be the tip of the iceberg, urging greater transparency and accountability for NHS cybersecurity standards, especially given the increasing role of external providers in delivering critical health services.

This incident highlights ongoing challenges in the NHS’s cyber resilience, particularly as it continues to face threats from sophisticated ransomware gangs operating beyond Western legal reach. Qilin, the Russian cybercrime group responsible, has been linked to multiple attacks on organisations worldwide and is known to lease its malware to affiliates, complicating efforts to identify and counter threat actors.

In response to the attack, the NHS and the Department of Health and Social Care have urged all health service suppliers to implement fundamental cybersecurity measures such as multi-factor authentication. Despite such appeals, the breach revealed persistent gaps in securing third-party providers, with potentially grave consequences for patient care.

At the frontline, staff have had to adapt to unprecedented operational pressures, managing prioritised testing for clinically critical cases only, while navigating delays and cancellations. A clinical staff member at Guy’s and St Thomas’ described how the manual handling of test results requires porters to physically transport printed reports to wards, a stark regression from usual digital workflows.

The fallout from the breach continues to reverberate across London’s health system as efforts are underway to restore full pathology services and evaluate the scope of harm caused. Investigations remain active by law enforcement and regulatory bodies, with potential financial penalties on the horizon for data protection breaches.

This grim episode underscores the urgent need for robust cybersecurity practices within the NHS, particularly in its reliance on outsourced diagnostic services, to safeguard patient safety and maintain trust in the digital infrastructure underpinning modern healthcare.

📌 Reference Map:

Paragraph 1 – ^[1], ^[2], ^[4]
Paragraph 2 – ^[1], ^[2]
Paragraph 3 – ^[1], ^[6], ^[5]
Paragraph 4 – ^[1], ^[5]
Paragraph 5 – ^[1], ^[3]
Paragraph 6 – ^[2]
Paragraph 7 – ^[2], ^[4]
Paragraph 8 – ^[1], ^[2]
Paragraph 9 – ^[5], ^[6]
Paragraph 10 – ^[1], ^[3], ^[4]

Source: Noah Wire Services

More on this

https://www.dailymail.co.uk/health/article-14846157/First-Briton-killed-cyber-attack-NHS-computers-Hack-led-lethal-delay-test-results.html?ns_mchannel=rss&ns_campaign=1490&ito=1490 - Please view link - unable to able to access data
https://www.ft.com/content/773c031b-a4e9-4120-bea6-d3d4c3eecdc4 - A ransomware attack on the NHS in June 2024, attributed to the Russian-speaking cybercrime group Qilin, led to severe disruptions in pathology services at key London hospitals and contributed to a patient’s death due to delayed blood test results. The breach targeted Synnovis, a provider handling blood tests for NHS organisations, resulting in the theft and release of 400GB of sensitive data. The attack affected operations at King's College Hospital and Guy's and St Thomas' NHS Foundation Trust, prompting the South East London Integrated Care Board to identify 170 cases of patient harm, mostly categorised as low harm. The fatality, confirmed by King's College Hospital Foundation Trust, has intensified concerns about digital vulnerabilities in healthcare, especially with increasing NHS reliance on private service providers. Cybersecurity expert Dr. Saif Abed believes the publicised case is only one of many and is calling for an independent inquiry into NHS cybersecurity and its implications for patient safety. Investigations by law enforcement are ongoing, while Synnovis and NHS England have yet to comment.
https://www.ft.com/content/d2be7c65-bf44-4a7d-9791-6deafe66659f - The ransomware attack against Synnovis in June 2024 resulted in costs estimated at £32.7 million, surpassing the company's recent annual profits. The incident led to one of the largest patient data breaches in the NHS in recent times, causing cancellations or delays in thousands of operations and appointments across various NHS hospitals and clinics in London. The Russian cyberattack group Qilin claimed responsibility, releasing 400 GB of stolen information. Synnovis has been slowly restoring its systems, recently completing the 'first phase' of its recovery plan. The company anticipates returning to profitability through a long-term outsourcing contract. Synnovis is a public-private partnership between Synlab and the trusts of Guy's and St Thomas' and King's College Hospital NHS. Ongoing investigations could result in fines from the Information Commissioner's Office.
https://apnews.com/article/cdf59beb5b36a8eedd1470732e10ac8c - A ransomware attack believed to be executed by the Russian cyber gang Qilin has disrupted several hospitals in London, causing operations and appointments to be cancelled. The group targeted Synnovis, a pathology lab service provider for the National Health Service, leading to significant disruptions in services, particularly blood transfusions. The incident, labelled as a 'critical' and 'major impact' event, particularly affected King's College and Guy's and St Thomas' hospital trusts. This type of ransomware attack paralysed computer systems, severely hindering operations within the healthcare trust. Synnovis is still working to understand the attack, which was reported to the police. Ransomware, a costly and disruptive form of cybercrime, is often difficult to combat as many gangs operate from former Soviet states, beyond Western legal reach. Qilin leases its malware to affiliates, having listed over 100 victims, according to a cyber threat intelligence company.
https://www.bbc.co.uk/news/articles/cd115yw8pd3o - A London GP reports that blood tests are being delayed as staff are asked to process only 'clinically critical' samples following a cyber attack that has had a 'massive effect' on pathology services in the capital. The attack on IT systems at firm Synnovis has affected King's College Hospital, Guy's and St Thomas' - including the Royal Brompton and the Evelina London Children's Hospital - as well as primary care services. Dr Abdul Kamali says the NHS is 'planning' and 'prioritising' patient care, adding: 'We've coped through Covid which was a major situation so hopefully we will get through this.' Synnovis said it had 'put additional resources in place' so that urgent samples received from GPs or hospitals could be processed 'within appropriate timeframes'. A critical incident was declared on 4 June after the incident affected the delivery of services such as blood transfusions and test results.
https://www.theguardian.com/society/article/2024/jun/05/london-nhs-hospitals-revert-to-paper-records-in-wake-of-russian-cyber-attack - A GSTT clinical staff member said: 'Since the attack, Synnovis have had to print out the blood test results when they get them from their laboratories, which are on site at Guy’s and St Thomas. Porters collect them and take them up to the ward where that patient is staying or [to the] relevant department which is in charge of their care. The doctors and nurses involved in their care then analyse them and decide on that person’s treatment, depending on what the blood test shows. This is happening because Synnovis’s IT can’t communicate with ours due to the cyber-attack. Usually blood test results are sent electronically, but that’s not an option just now.' The disclosure came as more details emerged about the impact of the latest hacking incident to hit the NHS, which Ciaran Martin, the former chief executive of the National Cyber Security Centre, said had been perpetrated by Russian cybercriminals. The attack, thought to be by the Qilin gang, has forced seven London hospitals run by GSTT and King’s College trust to cancel undisclosed numbers of operations, blood tests and blood transfusions and declare a 'critical incident'.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative appears to be based on a press release, which typically warrants a high freshness score. However, similar reports have been published across multiple reputable outlets, including The Guardian and BBC News, indicating that the information is not exclusive. The earliest known publication date of substantially similar content is June 4, 2024. ([theguardian.com](https://www.theguardian.com/society/article/2024/jun/04/cyber-attack-london-hospitals?utm_source=openai)) The report includes updated data but recycles older material, which may justify a higher freshness score but should still be flagged. ([theguardian.com](https://www.theguardian.com/technology/article/2024/jun/14/london-hospitals-cancelled-nearly-1600-operations-and-appointments-in-one-week-due-to-hack?utm_source=openai)) Additionally, the narrative includes references to other articles, suggesting it may be a compilation of existing reports. ([theguardian.com](https://www.theguardian.com/society/article/2024/jun/23/nhs-patients-cyber-attack-qilin-six-month-wait-blood-test?utm_source=openai))

Quotes check

Score: 7

Notes: The narrative includes direct quotes attributed to Dr. Chris Streather, NHS London's medical director, and other NHS officials. A search reveals that similar statements have been reported in earlier material, indicating potential reuse of content. For example, Dr. Streather's comments about the significant impact of the ransomware cyber-attack on services in south-east London were reported on June 14, 2024. ([theguardian.com](https://www.theguardian.com/technology/article/2024/jun/14/london-hospitals-cancelled-nearly-1600-operations-and-appointments-in-one-week-due-to-hack?utm_source=openai)) The wording of the quotes varies slightly across sources, suggesting paraphrasing or adaptation. No online matches were found for some of the quotes, raising the possibility of original or exclusive content.

Source reliability

Score: 6

Notes: The narrative originates from the Daily Mail, a reputable organisation. However, the article includes references to other sources, such as The Guardian and BBC News, which are also reputable. The inclusion of multiple sources strengthens the reliability of the information presented.

Plausability check

Score: 9

Notes: The claims made in the narrative are plausible and align with reports from other reputable outlets. The cyber-attack on Synnovis, a pathology services provider for the NHS in London, leading to the first confirmed patient death due to delays in receiving blood test results, has been reported by multiple sources. The narrative provides specific details, such as the involvement of the Russian-speaking cybercrime group Qilin and the impact on various hospital trusts, which are consistent with other reports. The language and tone are consistent with typical corporate and official language, and the structure focuses on the claim without excessive or off-topic detail.

Overall assessment

Verdict (FAIL, OPEN, PASS): OPEN

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: The narrative presents plausible claims that align with reports from reputable organisations. However, the content appears to be a compilation of existing reports, with some quotes potentially reused from earlier material. The inclusion of references to other articles suggests a lack of originality. While the source is reputable, the reliance on previously published information and the potential reuse of quotes raise concerns about the freshness and originality of the content.

NHS
cybersecurity
ransomware
patient safety
Synnovis
Qilin