In July 2019, an Alabama hospital was dealing with a ransomware attack that had shut down computer systems throughout the hospital. A pregnant woman went to the hospital to deliver her baby. She has filed a lawsuit against the hospital that claims the loss of monitoring technology ultimately caused the death of her infant.
The Wall Street Journal reported this week that Teiranni Kidd filed a lawsuit claiming that Springhill Medical Center did not disclose critical patient safety-related information, including the fact that hospital operations and patient safety were compromised by the attack. The baby was diagnosed with severe brain damage at birth and died nine months later.
Kidd’s baby was born with the umbilical cord wrapped around her neck. That cuts off oxygen to the baby’s brain and causes the heart rate to drop. This change shows up on fetal heart rate monitors and usually prompts doctors to do a cesarean delivery to prevent brain damage.
At the nurse’s desk in the labor and delivery unit, the monitors that track fetal heartbeats in the delivery rooms were not working due to the ransomware attack, according to reporting from the WSJ. The heart monitors are usually tracked on a large screen at the nurse’s station as well as in the patient rooms. The attending obstetrician texted the nurse manager that she would have delivered the baby by cesarean if she had seen the monitors, according to the WSJ.
When attackers hit organizations offering critical care, they do so with the expectation that the target will submit, primarily because of the potentially disastrous outcomes, according to Purandar Das, president and co-founder at the security company Sotero.
“What attackers don’t realize or don’t want to acknowledge is that even a minimal disruption could cause loss of critical care or even deaths,” he said. “Public sentiment should cause stronger action against, not just the attackers, but also the countries that provide them safe harbor.”
According to the lawsuit, the medical center released a statement on July 16, 2019 about the incident:
“We are currently addressing a security incident affecting our internal network. After learning of this issue, we immediately shut down our network to contain the incident and protect all data, notified law enforcement, and engaged leading outside forensic experts to support our investigation. As we have worked diligently to investigate and remediate the incident, our staff has continued to safely care for our patients and will continue to provide the high quality of service that our patients deserve and expect.”
A few days later the hospital released another statement that said patient safety is a priority and that the hospital “would never allow our staff to operate in an unsafe environment.”
Das said that organizations have to take a hard look at their resilience and back up operational plans. Just as they plan to operate in the event of a catastrophic loss of power, they need to develop and implement plans to recover, in the event of network and connectivity loss. Training is important for resources that have depended on networks and applications, for all phases of interaction.”
Hospitals and ransomware
HIPAA Journal reported in July that ransomware was the cause of six of the top 10 healthcare data breaches in June. The report found that the number of reported breaches of 500 or more records increased for the third straight month. Seventy data breaches were reported to the Health and Human Services’ Office for Civil Rights. This is the highest monthly total since September 2020 and significantly larger than the average of 56 breaches per month over the last 12 months. In June, ransomware attacks hit these healthcare providers: Northwestern Memorial HealthCare, Scripps Health, Renown Health, Minnesota Community Care, Prominence Health Plan, NYC Health + Hospitals and Reproductive Biology Associates.
United Health Centers also got hit by a ransomware attack recently. The ransomware group Vice Society said its August attack allegedly impacted all of the healthcare provider’s locations. The incident reportedly led to the theft of patient data and forced the organization to shut down its entire network, according to BleepingComputer.
The FBI warned in May that healthcare providers were still a big target for ransomware groups and the Conti attack in particular.
Healthcare providers are already crumbling under the ongoing pandemic and the persistent ransomware attacks have made that task even more difficult.
Some criminal groups have put hospitals and healthcare agencies involved in COVID-19 research and care on a “do not attack” list. Other groups have increased their attacks against the healthcare sector. Cyber attacks affect first responders, individuals in need of emergency care, and doctors and nurses trying to provide care.