A lawsuit has been filed against an Alabama hospital over the death of a baby, who is alleged to have died as a consequence of a ransomware attack that wiped out critical hospital monitoring systems. Had those systems been operational, the lawsuit alleges complications with the birth would have been identified and action would have been taken that would have saved the baby’s life.
Hospitals have long been a target for ransomware gangs and attacks have been increasing. Ransomware attacks on hospitals put patient safety at risk, but to date there have been no reported cases of a ransomware attack resulting in the death of a patient. This is the first case where a patient is alleged to have died as a result of a ransomware attack.
In September 2020, a ransomware attack on a German hospital saw patients re-routed to alternative facilities due to the lack of access to patient records and IT systems. One of those patients died before treatment could be provided, although the investigation into the incident determined the patient’s injuries were so severe that it would not have been possible to save her even if she had not been re-routed.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on ransomware attacks on the healthcare sector and warned that they can have an affect on patient outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA n the report. Further, a survey of IT and IT Security professionals working in the healthcare industry in the United States by the Ponemon Institute/Censinet indicates healthcare ransomware attacks result in delays obtaining test results, longer hospital stays, and an increase in complications from medical procedures. 22% of respondents believed the attacks led to an increase in patient mortality.
The lawsuit was filed on behalf of Teiranni Kidd, who was admitted at Springhill Medical Center on July 16, 2019 to have her baby delivered. Kidd was admitted shortly after the ransomware attack while IT systems were not fully operational. Kidd’s daughter, Nicko, was born on July 17, but there were complications with the birth. The umbilical cord had tied around her baby’s neck and resulted in severe brain damage and other complications. The baby was placed in the neonatal intensive care unit where she remained for months, and tragically died aged 9 months.
The ransomware attack had crippled the medical center’s IT systems, which remained offline for 8 days after the attack. The lawsuit alleges healthcare professionals did not have access to the baby’s fetal monitoring results, which would have indicated the baby was in distress and would have prompted an emergency caesarian, but that procedure was not performed. The lawsuit alleges fetal monitoring information was only available at Kidd’s bedside, and not via the system at the nurses’ station.
“As a result, the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which alleges medical malpractice and wrongful death amongst other claims.
One of the key issues is Kidd claims not to have been informed about the ransomware attack and its impact on critical systems. Springhill Memorial Hospital issued a statement about the attack claiming the hospital was still able to operate and patient safety was not put at risk. Kidd claims she would have had her baby elsewhere if she had been made aware of the attack and the shutdown of its IT systems.
“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” stated the lawsuit. As a result, “personal injuries and general damages, including permanent injury from which she died.”
Springhill Memorial Hospital has denied any wrongdoing. The case is scheduled for a jury trial in November 2022.