Hospital ransomware attack led to infant's death, lawsuit alleges
Photo: Soumil Kumar/Pexels
A new report in The Wall Street Journal details a cyberattack that may, a lawsuit alleges, have caused the first fatality linked to ransomware in the U.S.
WHY IT MATTERS
The ransomware attack that targeted Mobile, Alabama-based Springhill Medical Center in July 2019 knocked the hospital's IT systems offline for more than three weeks, according to the report – necessitating a return to paper charting, disrupting staff communication and compromising visibility of fetal heartbeat monitors in the labor and delivery ward.
In the lawsuit, Teiranni Kidd alleges that she was not informed that the hospital was in the midst of fending off the cyberattack when she arrived for a scheduled labor induction.
When Kidd's daughter was delivered, she was unresponsive with the umbilical cord wrapped around her neck; she was resuscitated but died nine months later of subsequent brain damage.
The suit alleges that Springhill's disabled IT systems meant that critical data about the baby's elevated heart rate – information that could have enabled a faster delivery by caesarean section – was not available to the attending obstetrician.
"Upon information and belief, the only fetal tracing that was available to healthcare providers during Teiranni's admission was the paper record at her bedside," according to the lawsuit.
"Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses' station or by any physician or other healthcare provider who was not physically present in Teiranni’s labor and delivery room," the suit alleges.
"As a result the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated."
The hospital denies wrongdoing.
"We stayed open and our dedicated healthcare workers continued to care for our patients because the patients needed us and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so," said Springhill Medical Center CEO Jeffrey St. Clair, in a statement supplied to the Journal.
THE LARGER TREND
"If proven in court, the case will mark the first confirmed death from a ransomware attack," according to the WSJ – which spoke to analysts who believe Springhill was targeted by the Ryuk variant, which has hobbled hundreds of hospitals and nursing homes in recent years.
But this is not the first fatality suspected to be linked to a ransomware attack. A year ago, Healthcare IT News reported on the death of a German woman, after her care was delayed when an ambulance was forced to be rerouted 20 miles out of the way, after Düsseldorf University Clinic's servers were encrypted.
As the ransomware epidemic has ramped up in volume and intensity, many experts have feared that adverse incidents like these would become more common. Just recently, a new report from the Ponemon Institute showed a link between ransomware and increased mortality rates.
Of the 600 health IT and security leaders polled, 43% of respondents said their organizations had experienced a ransomware attack. Of those, 45% said they believed the attack resulted in a disruption of patient care operations; 70% cited delays in procedures and tests; 65% said there was an increase in patient transfers or facility diversions; 36% pointed to an increase in procedure complications; and 22% said mortality rates increased.
More hospitals are making bigger investments to combat ransomware's threat to patient safety – something that's long overdue. So too is a more robust enforcement response, which also seems to be happening – as evidenced by the Department of Justice's recent promise to elevate ransomware probes to terrorism-level priority.
ON THE RECORD
"This is a shocking and sobering account of the real world impacts of cyber attacks," said Doug Britton, CEO of cybersecurity workforce firm Haystack Solutions, in a statement about the Wall Street Journal report. "This should make it very clear to anyone who believes cyber attacks are a harmless way to make illicit profits from faceless corporations; cyber attacks have consequences."
"It was inevitable that a ransomware attack would be blamed for a death; now it has happened," added Saryu Nayyar, CEO of security firm Gurucul. "We can only hope that law enforcement starts taking ransomware and other hacking attacks more seriously, and that organizations using their systems in life-critical roles will work to improve their cybersecurity practices."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.