With so many hospitals and other healthcare centers being targeted by cyber extortionists, it was only a matter of time before a ransomware attack led to someone’s death. Discover what happened and the implications this sad development has for healthcare providers and other types of organizations.
With the number of ransomware attacks against healthcare providers rising year after year, it was only a matter of time before one of these attacks led to someone’s death. Sadly, a woman died from a series of events triggered by a ransomware attack at a German hospital.
When Dusseldorf University Hospital’s IT systems crashed on September 10, 2020, it decided to close the doors for some of its services. Besides canceling doctor appointments, the hospital postponed surgeries and told the public not to visit. It also stopped accepting patients in its emergency room, which resulted in them being sent to other hospitals. A woman with a life-threatening condition was one of the patients shuttled elsewhere. She was sent to a hospital in Wuppertal, which was about 20 miles away. This delayed treatment by about an hour, which resulted in her death.
This isn’t the first time a ransomware attack has forced a hospital to turn away patients. In 2019, ten hospitals had to stop accepting new patients due to systems and data being held for ransom by cyber extortionists.
“When nurses and physicians can’t access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers,” said one security expert. “When these systems go down, there is the very real possibility that people can die.”
A Bungled Attack
Although not much information has been released yet about the ransomware attack at Dusseldorf University Hospital, one fact is known: The hackers bungled the job. This became evident when the ransom note was found. The ransom note was addressed to Heinrich Heine University rather than the hospital. As it turns out, the hospital is affiliated with the university.
Another oddity is that the note did not specify a ransom amount. It did include contact information, though, which the Dusseldorf police used to contact the cybercriminals. The police let the hackers know that they attacked the hospital rather than the university, thereby putting patients’ health in danger. In response, the cybercriminals withdrew their ransom demand and gave the hospital the decryption key it needed to unlock its systems and data. The hackers then broke off communications with the police and disappeared.
Charges Might Be Coming
An investigation is under way to determine whether the cybercriminals should be charged with negligent manslaughter or possibly even murder. However, if the Dusseldorf police decide to press charges, they might find it hard to identify the responsible party, as most hackers are cloaked in anonymity. Even if they are identified, it might be difficult to bring them to justice if they reside in a different country.
However, Germany is the most litigious country in the world, so it wouldn’t be surprising if the woman’s family brings lawsuits against the involved parties. Since the hackers’ identifies probably won’t be known, a likely target would be Dusseldorf University Hospital. Although the hospital was a victim, too, prosecutors could argue that the hospital is negligent because it did not adequately protect its systems and data. This led to a ransomware attack that shut down the emergency room, which forced the woman to be sent to another hospital. The extra hour it took to get there resulted in her death.
While this might sound like a stretch, ransomware-related lawsuits already exist. For example, Blackbaud, a cloud-based provider of fundraising software, was the victim of a ransomware attack in May 2020. Many of its customers are now suing the company on claims of negligence, invasion of privacy, breach of contract, and violations of the California Consumer Privacy Act and similar laws.
More at Stake Than Just the Bottom Line
These recent developments highlight yet another reason why companies need to take ransomware seriously. Besides hurting a business’s bottom line and reputation, a ransomware attack can result in financial, mental, and even physical hardship for its customers. We can help you develop a comprehensive strategy to protect against ransomware so that you, your employees, and your customers can sleep a little better at night.