First reported death connected to misfired ransomware attack on German hospital

By Cameron Abbott and Keely O’Dowd

News reports have surfaced that a woman in Germany has died due to a delay in receiving medical care. What is most concerning about this death is the circumstances in which the woman tragically passed away.

According to reports, the woman needed urgent medical treatment and the hospital she presented to, Duesseldorf University Hospital, was unable to admit her as it was dealing with a ransomware attack.

The hackers exploited a vulnerability in a widely used commercial add-on software. This attack caused a failure in the hospital’s IT systems resulting in it being unable to access data and diverting emergency patients elsewhere. The woman was redirected to a hospital approximately 30km away from Duesseldorf University Hospital, which led to a delay in the woman receiving treatment. Unfortunately the delay proved fatal and the women passed away before she could be treated.

It appears the hackers had intended to attack the Heinrich Heine University as the hackers addressed the ransom note to the University. Duesseldrof police were able toestablish contact with the hackers and advised the hackers they had attacked the hospital, endangering patients. The hackers retracted their ransom demands and handed over a digital key to decrypt the hospital’s data.

This is the first reported case of a human death linked to a cybersecurity attack of a hospital. German authorities are investigating the woman’s death and whether to treat it as a homicide.

There have been quite a few hospitals around the global who have been affected by these sorts of attacks, health organisations need to recognise that general system security is an important aspect of patient safety.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.