October 5, 2021 | Policy Brief

Lawsuit Alleges Ransomware Led to Baby’s Death in Hospital

October 5, 2021 | Policy Brief

Lawsuit Alleges Ransomware Led to Baby’s Death in Hospital

A ransomware attack in 2019 severely hindered an Alabama hospital’s ability to treat and ultimately save a baby born with a severe brain injury, according to a lawsuit first disclosed publicly by The Wall Street Journal last week. The alleged developments show ransomware can inflict not only economic blackmail and disruption but also devastating effects on people’s everyday lives, even in the places responsible for keeping Americans safe.

Springhill Medical Center in Mobile, Alabama, announced on July 16, 2019 — about a week after its initial discovery of the ransomware attack — that it was the victim of a “network security incident.” The hospital would not name the hackers. However, Alan Liska, a senior intelligence analyst at the cybersecurity firm Recorded Future, said the Russian Ryuk gang likely executed the attack. Springhill continued seeing a normal volume of patients during that time despite coping with a number of disabled critical technologies, including equipment monitoring fetal heartbeats in 12 delivery rooms.

The medical malpractice lawsuit, filed in January 2020 by Teiranni Kidd in the Circuit Court of Mobile County, alleges the hospital did not inform her of the cyberattack prior to her admission for the birth of her child. The hack prevented routine fetal heart rate information from reaching the nurse’s station and ultimately Kidd’s attending obstetrician, Dr. Katelyn Parnell, the lawsuit says. The court is scheduled to hold a trial in November 2022. If evidence supports Kidd’s claim, this case will mark the first confirmed death resulting from a ransomware attack. The episode also constitutes the first ransomware-related death case that has reached a U.S. court.

Springhill argued the responsibility to disclose complications from the cyberattack fell solely on Parnell. CEO Jeffrey St. Clair denied responsibility, stating the hospital remained open because doctors “concluded it was safe to do so.” Yet in text messages submitted as evidence, Parnell questioned why she did not know about the faulty heart rate monitor and called the baby’s death “preventable.”

A case of this nature was only a matter of time. According to a report from the Ponemon Institute, 43 percent of healthcare organizations have fallen victim to ransomware attacks within the past two years. Of that 43 percent, 70 percent encountered delays in procedures and testing, and 20 percent saw increased mortality rates.

Cyber breaches and disruptions have long interfered with hospitals’ ability to treat patients effectively. During an attack, the time it takes to access an EKG can increase by more than two minutes — potentially the difference between life and death for a heart attack patient. The 30-day mortality rate, an “outcome-of-care” measure used to determine a hospital’s ability to prevent complications, increases in the aftermath of a cyberattack, according to a March 2021 study by the CyberPeace Institute.

U.S. lawmakers are taking steps to limit the proliferation, and mitigate the impact, of malicious cyberattacks, including those involving ransomware. Recent efforts by the Senate Homeland Security Committee are particularly germane to this case. Members of the committee drafted incident reporting bills that require organizations to disclose known cyberattacks to DHS no later than 72 hours after initial detection. The bills also mandate detailed reporting of ransomware payments.

Incident reporting not only would warn patients like Teiranni Kidd of potential disruptions in care, but would also help the U.S. government share information with other hospitals experiencing similar vulnerabilities that cybercriminals could exploit.

Hospitals experience an average of 15 days of downtime when recovering from a ransomware attack. Depending on which servers the ransomware impacted, those 15 days of inoperative systems can do lasting damage to a patient’s wellbeing. Incident reporting laws would help keep other hospitals from falling victim to ongoing and imminent threats, while providing federal agencies with intelligence to better combat cyberattacks and hold hackers accountable.

Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and serves as a senior advisor to the Cyberspace Solarium Commission. Cara Cancelmo is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Mark on Twitter @MarkCMontgomery. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.