Interview with Helen Hughes on the cyber attack on a NHS pathology provider (26 June 2025)

Summary

This article provides an overview and transcript of a recent interview given by Patient Safety Learning’s Chief Executive, Helen Hughes, to BBC London, reflecting on the news that a patient’s death was contributed to by a cyber attack on a NHS pathology provider in June 2025.

Content

With increasing use of digital technology throughout health and care, cyber attacks present a significant and growing risk to patient safety.

Patient Safety Learning believes it is vital that NHS organisations not only invest in cyber security for themselves, but are also vigilant in checking the cyber security protocols of key system suppliers. It is also important that:

• Organisations have robust plans to recover services, prioritising patient safety, so that when attacks do happen they can be mitigated as soon as possible.
• There is clear communication with frontline healthcare professionals and patients as to what is happening if there are any disruptions, and what plans are being put in place to address this.
• Learning from these incidents is shared widely both between Trusts and nationally to improve defences against future incidents across the NHS.

In addition to recorded cases of harm, incidents may have resulted in further patient harm that is more difficult to capture. Disruption caused by cyber attacks often results in significant delays to care and treatment, with longer waits having a particularly serious impact on patients with chronic conditions and worsening health. The impact of these delays will only be seen over time. Healthcare providers need to closely monitor any patient safety risk associated with these delays and ensure that there are appropriate escalation routes to minimise future harm. 

June 2025 cyber attack

Last summer a ransomware attack on the Synnovis pathology system saw more than a thousand operations cancelled as the laboratory used by two major hospitals, King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust, was unable to report. One year on from this event, the NHS confirmed that nearly 200 patients were harmed in connection with this attack.[1]

King’s College Hospital has subsequently confirmed that one patient had "died unexpectedly" during the cyber attack.[2] Quoted by BBC News, a spokesperson for the trust said a number of contributing factors led to the patient's death, including "a long wait for a blood test result".

BBC interview

Below is the transcript of an interview on BBC London Evening News on the 26 June 2025 between our Chief Executive, Helen Hughes, and Senior Broadcast Journalist and Presenter Victoria Hollins, responding to this news. You can watch the interview starting at 18 minutes and 38 seconds on BBC iPlayer here.

Victoria Hollins: Next, a ransomware attack last June on pathology services in the NHS in London has now been linked to the death of a patient. The attack, which targeted Synnovis, a private firm managing blood tests for the NHS, saw more than 10,000 appointments cancelled at the two worst affected trusts in London.

Well earlier I spoke to Helen Hughes, who is Chief Executive of the charity Patient Safety Learning, the charity that campaigns to improve patient safety. I began by asking for her reaction to the news that the ransomware attack had been linked to a patient's death.

Helen Hughes: I mean it’s just horrible, isn’t it, to hear that someone’s death has been contributed to by this. At the time of the ransomware attack there was an expectation that it wouldn’t cause much harm, there may be some inefficiency and some delays in treatment, but it wouldn’t have as significant effect as it has. It’s horrifying that someone’s death should emphasise how important it is that we get cyber security right in healthcare.

Victoria Hollins: And getting it right, how is the NHS doing on that? Does it prioritise cyber security, and the patient experience as part of that?

Helen Hughes: You know, we do hear very much about how importantly the NHS is taking cyber security and the investment they're making. There are concerns within the NHS that the investment isn’t coming through quickly enough, and I suppose the risk that has been evidenced by this patient death might help release some of those resources.

So it is taken seriously. The more the NHS relies on digital services, and that’s a good thing, because that really helps conditions and patients have the right information at the right time, but it does evidence the vulnerability. So it is important, and I’m sure people will be just really quite upset on the impact this has had because it's clearly not what people go to work to do. You know, IT experts, Chief Execs, Cyber Security Leads, are trying to avoid this happening but I suspect the risks are increasing, so they need to be more mindful.

Victoria Hollins: And the NHS is of course so big and is using so many different parties, it's not just the NHS is it? Is that a concern for patients?

Helen Hughes: There was at the time because with this particular incident it was a third party supplier of pathology services, and there are a lot of services, diagnostic services, admin services, a whole range of services that supply to the NHS under contract. So, the NHS firewall is a very secure vehicle for protecting the NHS, but when you buy in services from other third parties, the security of those and the risk assessment and the management and the contract management of those needs to be as good, if not better.

References

1. Health Service Journal, Nearly 200 patients harmed in major cyber attack, 18 June 2025.
2. BBC News, Ransomware attack contributed to patient’s death, 25 June 2025.