A ransomware attack on a German hospital that took critical systems out of action and forced the cancellation of appointments and the temporary closure of its emergency department has led to the death of a patient.
On or before September 10, 2020, Düsseldorf University Clinic was attacked with ransomware. The file encryption caused systems to crash and prevented patient information from being accessed. The extent of the encryption and disruption to hospital systems forced the hospital to postpone scheduled appointments and shut down emergency services. A woman who required urgent treatment was redirected to a hospital in Wuppertal, which was around 21 miles away. As a result of the redirection, essential treatment was delayed by around an hour resulting in her death.
The investigation into the attack shows the hackers gained access to systems by exploiting a vulnerability in a commonly used commercial software add-on. It is not clear what vulnerability was exploited nor the ransomware variant used in the attack. The attack crippled approximately 30 servers at the hospital.
According to a statement issued by the hospital, “there was no concrete ransom demand.” A ransom note was found on one of the affected servers, but no ransom amount was stated. The ransom note was addressed to Heinrich Heine University, to which the medical center is affiliated, indicating the medical center may not have been the target in the attack.
Düsseldorf police were notified about the attack and made contact with the attackers using the contact information supplied in the ransomware note. When the attackers were told that the hospital had been affected by the attack and patient safety had been put in jeopardy, keys to decrypt files were provided and no demand for payment was made. It is now no longer possible to reach the attackers.
Authorities in the state of North Rhine-Westphalia are continuing to investigate the attack and are considering whether it will be possible to file charges of negligent homicide against the attackers. It is currently unclear who the attackers were, whether they can be located, and if it will be possible to extradite them to Germany if they are identified.
Ransomware attacks on medical facilities are common. According to data from Emsisoft, in the past year there have been at least 764 ransomware attacks on healthcare providers in the United States alone. These attacks often cause massive disruption and, in some cases, result in patients being redirected to alternate facilities, but this attack is the first known incident where a patient has died as a result.