A new lawsuit alleges that a baby born with severe brain injury at a hospital in Alabama died, at least in part, because the facility was suffering from a ransomware attack, which led to a botched medical procedure.
Hospitals have become targets of digital hackers that hold patient medical records and software programs hostage in exchange for a ransom. This is the first legitimate public claim that a patient died as a direct result of one of these attacks.
A Victim of Cybercrime
The suit was filed by Teiranni Kidd, the child’s mother. She claims that Springhill Medical Center in Mobile, AL didn’t tell her that their computers were down during the attack and that they failed to deliver quality care when she arrived to deliver her child in 2019.
Springhill announced to the public in 2019 that it was a victim of a “network security incident,” a phrase often used to describe ransomware attacks. However, a local news station reported at the time that the facility was turning patients away due to the attack, even though they claimed they were seeing a regular volume of patients.
Kidd first filed the lawsuit in January 2020 but amended it after her daughter passed away in July the following summer. Both Springhill and Kidd’s lawyer declined to comment as the suit is ongoing.
According to the suit, the facility didn’t tell Kidd that the system’s computers were down when she came in. As a result, the nurses and doctors didn’t perform key tests when the baby was delivered with the umbilical cord around its neck, which led to brain damage and eventually the child’s death nine months later.
Kidd claims that had she known about the attack, she would have gone to another facility to deliver her child.
A Troubling Trend
Ransomware has evolved into a multi-billion-dollar industry over the last several years as hackers go after high-profile targets, such as utility, IT, and healthcare systems.
Studies show 850 U.S. hospitals and medical facilities have been affected by ransomware this year alone. In many cases, the company will pay the ransom to bring their electronic medical records and digital services back online.
Experts say they are growing increasingly worried about the security of the healthcare industry. A single attack can bring patient care to a halt as computers shut down.
Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, says it was only a matter of time before someone died as a result.
“It’s an awful thing, but we’ve been expecting this for years to happen, because when things go wrong, eventually somebody’s going to die,” Liska said.
In another case from 2020, a German woman died after being rerouted to another hospital because the closest facility was hit with ransomware. However, government officials later ruled there wasn’t sufficient evidence to suggest the attack was the root cause of her death.
There have been many high-profile cases of hospitals getting hit with ransomware.
The University of Vermont (UVM) Medical Center was hit late in 2020 when their systems crashed. They eventually found a note with instructions to contact the digital hackers. The center had to shut down email, internet access, and major chunks of the organization’s computer network to stop the perpetrators from doing more damage.
Staff say they couldn’t access patient electronic health records, payroll services, and other digital tools for nearly a month. The facility didn’t end up paying the ransom, but the attack ended up costing $50 million.
UVM Health Network Chief Medical Information Officer Doug Gentile, MD has some advice for other hospitals: “If cybersecurity isn’t one of your top two priorities, it needs to be,” he says. “If you don’t have a very robust security profile, you’re likely to get hit.”
Officials say these attacks are becoming more common, and healthcare systems are often an easy target. These organizations have thousands of employees. It only takes one of them to click on a fake email to trigger an attack. When people’s lives are on the line, companies may also be more likely to pay up.
Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force, says, “Hospitals’ systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”