England: Cyber attack on pathology service provider led to a patient's death

The consequences of a cyberattack on the pathology service provider Synnovis in June 2024 are becoming increasingly clear, as recent investigations show. The attack – which had a massive impact on numerous London clinics –, also contributed to the death of a patient. This was reported by the BBC, among others.

According to NHS England, this was a “serious incident” as blood results could not be provided in time due to the IT disruption. This demonstrably led to a delay in patient care and thus to the death of a patient. The official guidelines emphasize that “unintentional or unexpected incidents, actions, or omissions that result in harm or death” are also to be classified as serious safety incidents.

As the patient's death was directly attributable to the delay caused by the cyberattack, the criteria for a serious incident resulting from an “external event” in healthcare are therefore clearly met: “Acts and/or omissions occurring as part of NHS-funded healthcare […] that result in: unexpected or avoidable death of one or more people.”

The delay in providing the blood results is considered to be a major contributing factor among several causes that ultimately contributed to the patient's death, as reported in the HIPAA Journal – a specialist journal for data protection and IT security in healthcare. This would be the first death in Europe to be specifically linked to ransomware as a cause.

Far-reaching effects

The attack, which is attributed to the cybercriminal group Qilin, paralyzed central IT systems and led to numerous London hospitals having to severely restrict their services. More than 10,000 outpatient appointments and over 1,700 planned procedures, including vital treatments such as organ transplants and cancer therapies, had to be postponed.

In addition, the IT systems of the blood transfusion laboratories were severely impaired, which led to an acute shortage of blood reserves, particularly blood group 0. As a result, not only the public, but also NHS staff and medical students were actively encouraged to donate blood. In addition, medical students were encouraged to help out in affected clinics, for example as messengers for laboratory data or in patient care.

In the first few days after the attack, only a fraction of the usual blood tests could be carried out in some clinics, which particularly impacted chronically ill and high-risk patients. GP practices that rely on Synnovis' laboratory services were also impacted, meaning that routine tests could only be carried out with a delay or not at all. According to a Bloomberg report, Synnovis estimated the financial impact of the attack to be at least 32.7 million pounds.

There has been speculation for years whether people have already died as a result of a cyberattack. One case involved a patient from Düsseldorf who died after having to be transferred to another hospital due to a cyberattack.

(mack)