A ransomware attack on Springhill Medical Center, Alabama, may have caused the death of a baby, a new lawsuit alleges, as reported by the Wall Street Journal.
In 2019, the facility shut down its computer systems for eight days, denying healthcare workers access to medical equipment and making decades of health records inaccessible.
The ransomware attack allegedly affected how the nurses’ station monitors fetal heartbeats and could have led to the first ransomware casualty in the hospital, according to the plaintiffs.
An Alabama woman Teiranni Kidd delivered the deceased baby in the hospital during the ransomware attack under unordinary circumstances. The baby’s umbilical cord was wrapped around her neck, causing severe brain damage that eventually led to the baby’s death eight months later.
Ransomware attack leads to a negligent homicide investigation
The lawsuit accuses the hospital of not doing enough to prevent the ransomware attack and trying to hide its severity.
The lawsuit alleges that the ransomware attack prevented Dr. Katelyn Parnell, MD, the presiding OB-GYN, from learning about the baby’s condition.
The Wall Street Journal reported that Dr. Parnell texted the nurse manager, claiming that she would have delivered the baby using the caesarean method if she knew the child’s condition. Text messages between Dr. Parnell and the manager showed the doctor describing the situation as preventable and wondering why the hospital did not notify her. The lawsuit also claims that the ransomware attack disrupted how the nurses monitored the baby’s heart rate.
Hospital blames doctor for not informing the patient of a ransomware attack
However, the hospital denies those allegations now subject to a negligent homicide investigation.
The facility’s CEO Jeffery St. Clair said they resorted to staying open because they believed it was safe to continue operations. Additionally, the facility claimed that its dedicated and independent health care workers continued serving its patients during the incident.
The hospital adds that it was Dr. Parnell’s obligation to inform Ms. Kidd about the ransomware attack. Dr. Parnell said she was aware of the ransomware attack but believed that Ms. Kidd could safely deliver the baby.
Other employees said they were initially in the dark about the ransomware attack. The only hint was the notes taped to the computers claiming that EHR records were down until further notice. Only later did they learn that it was a ransomware attack.
Kidd’s allegations are hardly outrageous because a ransomware attack could delay emergency care leading to the demise of any patient.
Impact of ransomware attack on human life
“It was inevitable that a ransomware attack would be blamed for a death, now it has happened,” says Saryu Nayyar, CEO at Gurucul. “And it’s a baby, to boot, in a hospital that was fighting the attack. The hospital lacked ongoing access to the child’s condition, making it impossible to track a downward trajectory.”
Ron Bradley, VP at Shared Assessments reiterated that it was disheartening that “a child may have died due to a failure of technology controls.”
However, determining whether the patient died because of the hospital’s response to the cyber-attack could be incriminating. Many organizations attempt to hide information regarding a ransomware attack to avoid reputational damage. This form of deception could prove disastrous when irreparable damage is traceable back to the organization’s cybersecurity incident response.
This particular case also suggests that other professionals apart from cybersecurity experts could get in trouble for lacking adequate cybersecurity training and incident response preparedness.
“Those of us that have been around long enough will appreciate the difference between analog and digital, AM v. FM, tapes v. compact disks, pagers v. smartphones, etc,” Bradley said. “I draw this comparison to bring out the importance of reverting to analog techniques in the case where digital technology fails.”
While the outcome of this case is far from over, it could set a precedent that could have a huge impact on future rulings.
“While the attackers will almost certainly blame the hospital for not paying the ransom, or not bothering to respond at all, this outcome was inevitable at some point, demonstrating that the loss of systems and data can also mean the loss of life,” added Nayyar.
“We can only hope that law enforcement starts taking ransomware and other hacking attacks more seriously and that organizations using their systems in life-critical roles will work to improve their cybersecurity practices.”