Patient Death Linked to Ransomware Attack on Pathology Services Provider
An investigation of the unexpected death of a patient during the ransomware attack on Synnovis, a provider of pathology services to the National Health Service (NHS) in the United Kingdom, has confirmed that the attack contributed to the patient’s death. This is one of the first times that a patient’s death has been directly linked to a cyberattack.
Synnovis provides diagnostics, testing, and digital pathology services to hospitals, doctors, and other NHS healthcare providers across southeast London. On June 3, 2024, Synnovis fell victim to a ransomware attack. The attack was conducted by the Qilin ransomware group and caused major disruption to healthcare services at a large number of hospitals and healthcare providers across southeast London. More than 10,000 appointments were cancelled due to the attack, and the disruption has continued for months. The attack led to a blood shortage locally and reduced blood stocks across the country as healthcare providers were forced to use O-negative blood due to limitations placed on blood matching due to the attack. A year on from the attack and blood stocks remain low.
Kings Collect Hospital NHS Foundation Trust, one of two NHS Trusts that contract with Synnovis, confirmed this week that an investigation of the death of a patient during the cyberattack has concluded and confirmed that the cyberattack was a contributory factor leading to the patient’s unexpected death. As is standard procedure when a patient dies unexpectedly, a detailed review was conducted of the patient’s care to identify the factors that led to the patient’s death. While the patient safety incident investigation identified several contributing factors, one of the main factors was the long wait for blood test results due to the impact the cyberattack had on pathology services.
“We are deeply saddened to hear that last year’s criminal cyber attack has been identified as one of the contributing factors that led to this patient’s death,” said Synnovis chief executive, Mark Dollar. “Our hearts go out to the family involved.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Qilin also stole sensitive data in the attack and published the data online when the ransom was not paid. The hackers reportedly demanded around $50 million. In January, Synnovis said the attack caused more than £32 million ($43 million) in costs. While it has yet to be confirmed exactly how many patients had their data stolen in the attack, more than 900,000 patients are thought to have had their data stolen. In an effort to apply pressure to get the ransom paid, Qilin started publishing sensitive patient data, including the names of patients with cancer and symptoms of sexually transmitted infections. The stolen data is believed to have included names, dates of birth, NHS numbers, and the pathology/histology forms used to share patient information between different departments and medical institutions. The investigation and file review are in the final stages, and a year after the data was stolen, patients will soon learn if they have been affected.
