Have Cyber-Attacks Killed People? Updated July 2025

In this week’s bulletin, Charlie discusses whether cyber-attacks have ever directly caused a death, revisiting past and recent incidents.

This is almost becoming an annual occurrence: writing a report that examines whether, as per the title, cyber-attacks have directly contributed to the death of a person or people. While there are numerous case studies showing indirect links between cyber-attacks and fatalities, my aim was to reassess whether any direct cases have emerged over the past year.

My two previous bulletins – one published in August 2022 and the other in June 2024 – both concluded that there was evidence of indirect impacts from ransomware attacks. These included increased mortality rates in hospitals under a ransomware attack, as well as several individual incidents, such as the often-cited case of the 78-year-old woman in Düsseldorf, Germany, in 2020. She was in an ambulance en route to University Hospital Düsseldorf, but due to a cyber-attack, was diverted to Helios University Hospital in Wuppertal, 32 km away. She subsequently died, although it remained inconclusive whether the delay contributed significantly to her death. Similarly, it is likely that there were indirect deaths related to the cyber-attacks on Ukraine’s power grid in 2015 and 2016, though no direct links have been substantiated.

More recently, in June 2024, there was the ransomware attack on the Synnovis laboratory in London, which disrupted access to patient records and significantly delayed the processing of blood samples. A BBC article covering the event mentioned an investigation into the death of one patient. A spokesperson for the trust stated that a detailed review had been conducted: “The patient safety incident investigation identified a number of contributing factors that led to the patient’s death,” indicating that there was no single, direct cause attributable to the cyber-attack.

This remains the closest instance found of a cyber-attack potentially contributing to a fatality. As of now, there is still no confirmed case of a cyber-attack directly causing a person’s death. Long may this last.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

Have Cyber-Attacks Killed People? Updated July 2025

Guidance on Writing the First External Communication After a Cyber Incident

Good, but Could Be Better: Cyber Comms Lessons from Glasgow City Council’s Cyber Attack – Initial Communications

The Kelly Report – Incident Management Lessons from the Heathrow Substation Fire

Is your business fully resilient?

BCMS 556354

FS 670199