A ransomware attack on an Alabama hospital in 2019 may have directly caused the death of a newborn baby. The baby’s mother is now suing, in what will officially be the first ransomware-related homicide case to make it to court.
According to The Wall Street Journal, on July 16, 2019, eight days into the three-week cyber attack on Springhill Medical Center, Teiranni Kidd gave birth to her daughter, Nicko Silar, during a scheduled delivery. Nicko was born with the umbilical cord wrapped around her neck and as a result, suffered severe brain damage. She died nine months later. The hospital, the lawsuit alleges, missed vital signs – namely a dangerously accelerated fetal heartbeat – that would have otherwise led to a cesarean section and would have potentially saved Nicko’s life.
As well as affecting the equipment that monitors fetal heartbeats, the court filings claim that the attack left the hospital without access to patient health records and that the wireless tracking system used to locate staff was not working.
The hospital, which denies any wrongdoing, refused to pay the ransom, the WSJ reports, and attempted to carry on as usual despite the attack knocking its IT systems offline for more than three weeks. CEO Jeffery St. Clair told the WSJ they “concluded it was safe” to continue.
Kidd’s medical malpractice lawsuit requests an unspecified amount of money from the hospital and Dr Katelyn Parnell, the obstetrician who delivered Nicko. She claims she was unaware of the severity of the cyberattack, knowledge of which might have informed her decision to choose Springhill Medical Center.
Included in the suit is a text conversation between Parnell and the nurse manager. In the texts, Parnell describes the infant's death as “preventable” and says she would have performed a cesarean section “100 %” if she had seen the heart monitor reading.
While not the first alleged ransomware death, it is the first case to make it to court. If successful, it will be the first time a ransomware attack is officially considered directly responsible for a death.
As previously reported by IFLScience, last year, a woman died after a similar attack on a German hospital resulted in her being transferred to a remote hospital. The lengthy transfer potentially denied the woman the care she needed and prosecutors in Cologne, Germany, opened a negligent homicide investigation. Charges were later dropped, however, and it was determined that the patient died of other causes.
And it seems that these are not isolated incidents. Two-thirds of health organizations report having fallen victim to ransomware attacks, which appear to have increased in number in correlation with the COVID-19 pandemic. Almost a quarter of these attacks resulted in increased mortality rates, according to a survey by cybersecurity company Censinet. These findings suggest that as well as presenting financial and logistical problems, cyberattacks have serious potential health risks, calling into question the cybersecurity of hospitals and health organizations.