A woman has died following a serious cyber attack on Düsseldorf University Hospital that disabled computer systems, marking what could be the first death directly caused by hackers.
The patient, who was due to be moved to Düsseldorf University Hospital for critical care on September 11, instead had to be transferred to a hospital much further away. The lengthy transfer potentially denied the woman the care she needed, and she passed away in a hospital in Wuppertal, 30 kilometers (19 miles) away.
German officials have now launched a formal inquiry for negligent homicide, BBC News reports, which could result in any hackers caught being charged.
"If confirmed, this tragedy would be the first known case of a death directly linked to a cyber-attack. It is not surprising that the cause of this is a ransomware attack by criminals rather than an attack by a nation state or terrorists,” said Ciaran Martin, former chief executive of the UK's National Cyber Security Centre, in a statement.
"Although the purpose of ransomware is to make money, it stops systems working. So if you attack a hospital, then things like this are likely to happen. There were a few near misses across Europe earlier in the year and this looks, sadly, like the worst might have come to pass."
Despite the severity of the attack, it is likely the ransomware wasn’t targeting Düsseldorf University Hospital. In a digital ransom note delivered during the attack, the hackers demand payment from Heinrich Heine University, an affiliated but different location to the hospital. Once the police contacted the hackers and told them they had instead attacked a hospital’s life-saving systems, the hackers provided the decryption key to get the servers back up and running.
However, the systems were disabled long enough to prevent the care needed for the critically ill woman who died. German authorities are now investigating any potential leads to those responsible for the cyber attack.
Ransomware is an increasing problem, with malicious attacks disabling critical systems whilst demanding payment to stop it. Hospitals have been hit before, along with US State governments and government agencies. In 2019, almost 1,000 attacks were recorded on US educational and healthcare providers, with security Emsisoft saying ransomware attacks are approaching “epidemic proportions” as reported by Computer Business Review (CBR).
Notable cyber-attacks during 2019 include DCH Health Center, who were forced to pay an undisclosed ransom to hackers in order to restore IT systems for three of their hospitals, and multiple hospitals in Australia, where several patients' medical records were wiped from servers. Government servers have also fallen prey to ransomware, with Louisiana's governer even declaring a state of emergency after government servers were taken offline.
A death from ransomware has been predicted in recent years, but had not been reported until now.
“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020,” Reported CBR in 2019.