Article: A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
Author: Kevin Poulsen, Robert McMillan and Melanie Evans
Published: September 30, 2021
Source: The Wall Street Journal
This article was incredibly upsetting. Up until now ransomware making victims of hospitals has always been speculated as a danger to human life. Now, we have an actual victim that has died. An unborn child’s condition was not tracked appropriately which resulted in permanent brain damage and the eventual death of the baby. Parents are suing the hospital and the physician and are still in litigation. As it happens the hospital was undergoing an aggressive ransomware attack at the time on the incident and did not inform the patients or the staff of what was occurring in the moment. The hospital was actively trying to mitigate the incident. Not an unusual occurrence as the response is immediate to these kinds of attacks. The hospital did not pay the ransom, which is to be noted. Eventually the institution was able to gain access to their patient files and recover. However, the damage had been done and the patient was irrevocably impacted. If this case is won, this will be the FIRST proven case of ransomware causing a death.
This is the consequence of saving costs on cybersecurity related training! Critical services like healthcare should be given at most importance when it comes to security. There are various certifications that hospitals should mandate for their employees such as:
HCISPP (Healthcare Information Security and Privacy Practitioner) certification to simply understanding how to safely and securely utilize company email, healthcare cyber security training needs are different for every company and every team of employees.
Hi Vanessa,
This really is a sad case. I’m sure that there have been other instances where these ransomware attacks have affected individuals getting treatment in a hospital but now there is finally one with tangible evidence. I wonder if/when the case is won how will that change how hospitals approach these types of attack? Will they adjust their risk tolerance knowing that they can be sued for the consequences of one of these ransomeware attacks?
This is very sad. I wonder how this will affect cyber insurance policies going forward and if additional riders will be required to cover situations like this. I imagine most policies cover business losses and I am not sure if they factor in the loss of life.