Qilin ransomware attack on London hospitals disrupted care and was linked to a death
A ransomware attack attributed to the Russia-based Qilin gang severely disrupted pathology and clinical services at London hospitals, with officials and media reports identifying the incident as the cause of widespread delays to treatment and diagnostics. Reporting on the fallout said nearly 200 cancer operations were postponed, alongside other surgeries and appointments, after systems supporting blood testing and related services were knocked offline. Qilin was identified in multiple reports as the group behind the intrusion, and it later published stolen NHS data online.
The consequences later escalated beyond operational disruption when a patient's death was confirmed to have been linked to the attack, underscoring the life-threatening impact of ransomware on healthcare delivery. Former NHS National Services Scotland CISO Alastair Mitchelson said such an outcome was tragic but not surprising when systems used for diagnosis and treatment fail at scale. Qilin reportedly expressed regret for the harm while denying responsibility, and claimed the attack was a political protest tied to grievances against the UK government.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Patient death linked to disruption from NHS ransomware attack
A death was later confirmed following the cyberattack-related disruption to healthcare systems, making the incident one of the clearest examples of ransomware causing fatal real-world harm in medical services. Coverage also noted Qilin had expressed regret for the harm while denying responsibility for the death.
Nearly 200 cancer operations postponed due to attack fallout
Reporting on the continuing impact said almost 200 cancer operations had been postponed at London hospitals because of the ransomware attack. The disruption highlighted the severe effect on patient care weeks after the initial breach.
Qilin publishes stolen NHS data online
Qilin published data stolen in the attack, escalating the incident from operational disruption to confirmed data exposure. The leak increased concerns about patient and healthcare information being compromised.
Russian-linked criminals suspected in attack; Qilin identified
Within days of the disruption, reporting said Russian cyber criminals were thought to be behind the NHS attack, with the Russia-based ransomware group Qilin identified as responsible. This marked the first public attribution of the incident.
Synnovis ransomware attack disrupts London NHS pathology services
A ransomware attack hit Synnovis, a pathology services provider for several London NHS hospitals and GP practices, causing major disruption to diagnostics and treatment services. The incident affected hospitals including King's College Hospital and Guy's and St Thomas'.
Sources
4 references tracked. Mallory keeps watching after this page renders.
NHS ransomware attack contributed to patient's death
bbc.co.uk
Open sourceAlmost 200 cancer operations postponed as ransomware group publishes London hospitals data | The Record from Recorded Future News
therecord.media
Open sourceQilin ransomware gang publishes stolen NHS data online | Computer Weekly
computerweekly.com
Open sourceRussian cyber criminals thought to be behind NHS attack
telegraph.co.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
NHS patient data breaches expose records and deepen harm to attack victims
Nottingham University Hospitals NHS Trust apologized after a public inquiry found survivors of the 2023 Nottingham attacks were not properly included when the trust investigated unauthorized access to their medical records. The inquiry said staff inappropriately viewed victims’ records without authorization, and a 2025 internal investigation uncovered broader misuse of sensitive patient information. The trust said its response initially focused too narrowly on bereaved families, while disciplinary action resulted in 11 employees being dismissed and several others receiving written warnings for serious data protection violations. Separately, the fallout from the 2024 Synnovis ransomware attack linked to the **Qilin** gang continues to widen across the NHS, with Mid and South Essex NHS Foundation Trust confirming about **2,380** specialist diagnostic testing records were affected after Bedfordshire Hospitals NHS Foundation Trust disclosed nearly **33,000** impacted records. The attack disrupted pathology services across south east London, causing canceled appointments, delayed operations, and blood testing and transfusion problems, while stolen patient data was later published online after extortion failed. NHS organizations are still identifying affected patients, and King’s College Hospital NHS Foundation Trust has said service delays caused by the outage contributed to a patient’s death.
Jun 9, 2026
Qilin Ransomware Attacks on North American Organizations
The Qilin ransomware gang has claimed responsibility for significant cyberattacks against major North American organizations, including Canadian electrical services provider Spark Power and U.S.-based recruitment firm Cornerstone Staffing Solutions. In the Spark Power incident, Qilin alleges the theft of 222 GB of data, potentially including operational files, financial records, and employee personal information, with researchers warning of possible operational disruptions if systems are locked. For Cornerstone Staffing Solutions, Qilin claims to have exfiltrated 300 GB of sensitive data, including nearly 1 million files with resumes, personal records, Social Security numbers, and internal financial documents, with sample files leaked to substantiate the breach. Qilin has emerged as one of the most prolific ransomware operations, reportedly targeting nearly 1,000 organizations since 2023 and over 500 in the past six months alone. The group’s attacks have resulted in the exposure of sensitive employee and business data, raising concerns about the operational and reputational impact on affected organizations. These incidents highlight the ongoing threat posed by ransomware groups to critical infrastructure and service providers across North America.
Mar 21, 2026
Qilin Ransomware Claims Against Georgia Organizations
The **Qilin** ransomware operation claimed responsibility for compromising the **Augusta Housing Authority (AHA)** in Georgia and published sample files allegedly stolen from the agency, including internal correspondence, financial/expense documents, and spreadsheets containing sensitive personal information (e.g., utility reimbursement recipient data and employee benefits deductions). AHA had not publicly confirmed the intrusion, but reported ongoing efforts to restore website functionality amid access issues; reporting also notes Qilin’s high operational tempo in early 2026, with numerous claimed victims across sectors. Separately, a Georgia-based healthcare provider group, **ApolloMD**, reported to U.S. regulators that a 2025 intrusion exposed data for **626,540** individuals, including **SSNs** and medical/insurance information; ApolloMD said attackers accessed its IT environment over a short window in May 2025, and Qilin publicly claimed the attack in June 2025. A third report about **Conduent’s** 2025 ransomware incident (impact estimates rising to ~25 million) describes a different victim and event and is not part of the Qilin/Georgia victim reporting described above.
Mar 21, 2026