A U.S. hospital paralyzed by ransomware in 2019 will be defending itself in court in November over the death of a newborn, allegedly caused by the cyberattack.
As the Wall Street Journal reported on Thursday, the baby’s mother, Teiranni Kidd, gave birth to her daughter, Nicko Silar, on July 16, 2019, without knowing that the hospital was entering its eighth day of clawing its way back from the attack.
According to court filings, health records at the hospital – Springhill Medical Center, in Mobile, Ala. – were inaccessible. A wireless tracking system for locating medical staff was still down. And, in the labor-and-delivery unit, staff were cut off from the equipment that monitors fetal heartbeats, which are normally tracked on a large screen at the nurses’ station and in the delivery room.
Those monitors should have informed the staff of what was a life-threatening situation, alleges a medical malpractice lawsuit that Kidd has filed in the Circuit Court of Mobile County. Nicko was born with the umbilical cord wrapped around her neck, choking off her blood and oxygen. She suffered severe brain damage and died nine months later.
In a text conversation submitted in court filings and reproduced below, the attending obstetrician, Dr. Katelyn Parnell, told the nurse manager that she would have delivered Nicko via caesarean section if she’d been able to see the heart monitor’s readout.
“I need u to help me understand why I was not notified,” Parnell texted, followed by “This was preventable.”
The suit has named both Springhill and Parnell as defendants. It alleges that the ransomware attack erased what the WSJ called the “extra layer of scrutiny” that the heart-rate monitor would have provided at the nurses’ station.
The hospital has denied any wrongdoing. Springhill CEO Jeffrey St. Clair told the WSJ that the hospital handled the attack appropriately, staying open as “our dedicated healthcare workers continued to care for our patients, because the patients needed us; and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so.”
In court filings, Parnell said that she had been aware of the cyberattack, but “believed Ms. Kidd could safely deliver her baby at Springhill” at the time she was admitted.
A Tragic Legal First
This isn’t the first time that ransomware-related homicide charges have been brought, but it will be the first time that a case makes it to court. The closest yet was an incident from last September, when a German patient died while in an ambulance that had been re-routed due to a hospital having been seized by ransomware.
At the time, German police launched a negligent-homicide investigation and said they might hold the attackers responsible. It would have been the first time that law enforcement had considered a cyberattack to be directly responsible for a death, but it was subsequently determined that the patient died of other causes, leading a German prosecutor to drop the murder charge.
Who’s Behind the Allegedly Murderous Attack?
Springhill has declined to name the ransomware that was behind the July 2019 attack, but given the timing and the lack of scruples in targeting a healthcare facility, there are plenty of possibilities.
One could be the Ryuk gang, whose operators do have a track record for not being able to keep their hands off of medical facilities. Between 2019 and 2020, Ryuk malware affected hospitals in California, New York and Oregon, as well as in Germany and the U.K., resulting in difficulties with accessing patient records and impairment in critical care.
Case in point: Last September 2020, employees at Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, reported widespread outages that resulted in delayed lab results, a fallback to pen and paper, and patients being diverted to other hospitals. The culprit turned out to be the Ryuk ransomware, which locked up hospital systems for days.
Beyond Ryuk, there are plenty more ransomware operators who lack scruples, as has been made clear during the pandemic.
For example, multiple ransomware gangs pledged not to hit hospitals because of COVID-19, including the Maze and DoppelPaymer groups. They also pledged to release free decryption keys if medical facilities were accidentally hit. But some groups – such as Netwalker – actually reneged on those pledges.
In fact, such attacks skyrocketed last October, in the middle of another U.S. COVID-19 surge, to the point that the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the U.S. Department of Health and Human Services issued a security bulletin warning of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.