Cyber and Ransomware attacks normally result in financial, reputational or operational costs to their victims. But if what happened in Alabama in 2019 is true, then ransomware has turned deadly.
In July 2019, a mother delivered her baby that had suffered brain damage as the result of the umbilical cord being wrapped around her child’s neck. The child’s death nine months later, understandably devastated the mother. What they didn’t know at the time was that the hospital, Springhill Medical Center, was under a cyber-attack during the time in which she was delivering the baby
For eight days, the staff could not access vital data, from patient records to heart monitors because of the attack. The fetal heart monitors that they used to keep track of the babies in the delivery room were among those affected and as a result, the nurses had no idea that something was out of the ordinary. Attending obstetrician Katelyn Parnell then texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”
Now the mother is suing the hospital, “alleging information about the baby’s condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nurses’ station. If proven in court, the case will mark the first confirmed death from a ransomware attack.”[1]
Based on the evidence gathered, the hack has been linked to the Ryuk hacker group, a Russian based group that has been responsible for a variety of hacks. Around the time of this hack, they were targeting hospitals across the US. Ryuk had attacked at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the U.S., since 2018. Ryuk ransomware collected at least $100 million in ransom payments last year, according to the bitcoin analysis firm Chainalysis. The group’s average ransom demand is just under $700,000, according to ransomware negotiation firm Coveware.[2]
Hospitals are probably the most valuable target for hackers and cyber extortion. The amount of Personally Identifiable Information and modern healthcare’s reliance upon technology makes them a very valuable target for cyber hackers. This type of brazen cyber-attack on healthcare infrastructure was inevitable and it wasn’t the first time something like this happened, but it was the first reported case where a death could be attributed to a cyber-attack In Dusseldorf, Germany in September 2020, a hack disrupted their university hospital systems. As a result, a woman who was forced to go to another hospital, died on the way, because the original could not intake her.[3]
Whether this lawsuit will produce a settlement is unknown at this time. What is known is that a hack happened that resulted in a life being lost because vital data was compromised, and a heavily reliant healthcare system being taken down by cyber criminals. Regardless of industry, your data is at risk. Review your cyber security protocols and be informed of what to do when it
[1] https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116?st=zg5aypc8h1hj8wz&reflink=article_email_share
[2] https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116?st=zg5aypc8h1hj8wz&reflink=article_email_share
[3] https://www.businessinsurance.com/article/20200918/NEWS06/912336721/Prosecutors-open-homicide-case-after-hacker-attack-on-Duesseldorf-Germany-hospit?utm_campaign=BI20200918BreakingNewsAlert
