Cybercrime incidents have been on a steep incline for the past few years, particularly the worst kinds of cybercrime malware like ransomware. Ransomware attacks continue to affect businesses, proven by the fact that the ransomware attack victimization rate on organizations has risen from 55% in 2018 to almost 75% in 2021. Apart from just corporate attacks, the worst kinds of ransomware attacks can transcend the cyber-physical realm, meaning that they can culminate in real-world scenarios where victims incur financial losses, or worse when their lives are put at risk.
Nothing is a better example of how terrible ransomware can be than the recent news of a new lawsuit concerning a 2019 ransomware attack on a healthcare institution in the United States. The Wall Street Journal first covered this news on September 30th, 2021 regarding the case of a ransomware attack allegedly resulting in a baby’s death at Springhill Memorial Hospital, a hospital in Alabama, U.S.
Ransomware is Increasingly Targetting Healthcare
Ransomware attacks become a special kind of evil when their focus shifts to public health -the healthcare sector. According to Sophos’ ‘The State of Ransomware in Healthcare 2021‘ report, “34% of healthcare organizations were hit by ransomware in the last year.” Of those hit by ransomware attacks, 65% said cybercriminals successfully encrypted the stolen data, blackmailing and extorting medical centres and hospitals for a ransom fee. Even when a ransom is paid, the report shows that only 69% of stolen data is returned to the victims.
Apart from just the hefty financial outlay required for paying a ransom to cybercriminals, ransomware attacks targeting the critical healthcare sector cost downtime, valuable resources and worst of all can put patients’ lives at risk. Cybercriminals are looking for the quickest and most efficient ROI (Return on Investment), which is one of the reasons why they often choose to attack the healthcare industry. Cybercriminals know that attacking a hospital means that healthcare executives will be forced to pay the ransom quickly. Adding to that, the Sophos report also shows that healthcare data is easier to encrypt for cybercriminals, and that “Healthcare is less able to stop ransomware than other sectors.”
The 2019 Springhill Memorial Hospital Ransomware Attack
On July 16th, 2019 Teiranni Kidd, mother-to-be, visited Springhill Memorial Hospital in Mobile, Alabama to deliver her baby daughter, Nicko Silar. Unaware of the fact that the hospital was experiencing a ransomware attack at the time and that computers were experiencing difficulties for days prior to that, Kidd’s daughter was born on July 17th, 2019 with the umbilical cord dangerously “wrapped around her neck”, according to the Daily Mail. More information from an NBC News article states that “doctors and nurses then missed a number of key tests that would have shown that the umbilical cord was wrapped around the baby’s neck.” ABC News confirms that “failure of electronic devices meant a doctor could not properly monitor the child’s condition during delivery.”
In 2019, local Mobile, Alabama news station WKRG (site currently not availabe in the EU) reported a cybersecurity incident was taking place as patients were not able to book appointments at the Alabama hospital. An anonymous man stated, “The only information they could tell me is they possibly could call me back later in the week if the computers are back up but currently they are having issues with it and they won’t elaborate any further on what’s going on.”
The First Ransomware-Related Death on Record
According to the Wall Street Journal article published on September 30th, 2021 a new lawsuit filed by Teiranni Kidd arguing that “computer outages” caused by a July 2019 cyberattack on an Alabama hospital that resulted in a baby’s death, is now moving through the U.S. courts. The lawsuit, if it goes through, could make this case the first official ransomware-related death. According to the NBC News article, “The filing is the first credible public claim that someone’s death was caused at least in part by hackers who remotely shut down a hospital’s computers.” The lawsuit also states that the hospital did not notify Kidd that computers were down as a result of the ransomware attack and that her baby daughter did not receive the proper medical care as a result of this. Kidd initially sued Springhill Memorial Hospital in January 2020, after her daughter had passed away.
Although the cybercriminals responsible for the ransomware attack have not been officially identified yet, The Wall Street Journal has claimed that it is most likely the Russian Ryuk group, known for targetting the medical sector.
The Trial is Set
So far, Springhill Memorial Hospital has denied any malpractice concerning the Kidd case and has transferred the blame to Dr. Katelyn Braswell Parnell, who delivered baby Nicko, stating that Dr. Parnell must have been fully aware of the computer system crash. According to some sources, a trial is set for November 2022.