By Portia Cole, emergent threat researcher, Avertium.
Labeling ransomware attacks as a matter of life and death may seem exaggerated, but in the realm of healthcare, it has proven to be a harsh truth. In recent years, cases of patients whose death have been linked to ransomware attacks have started to emerge. With recent trends indicating a surge in attacks on the industry, it is possible the human toll could only grow.
That toll does not take a single shape. If past cyberattacks are any indication, ransomware attacks can lead to compromised care or no care at all, and studies have found even neighboring facilities can be negatively impacted. Here is an overview of what healthcare organizations and their patients have suffered thus far, and what your organization can do to protect itself.
Cyberattacks with huge costs
In what has been called the “first alleged ransomware death,” an Alabama woman arrived at Springhill Medical Center in July 2019 to give birth, unaware that the hospital had fallen victim to a ransomware attack the week prior. It had yet to be resolved, and as a result, the equipment that monitors vital signs wasn’t transmitting information to the nurses’ desks, leaving staff unaware that the baby was in distress.
The infant was born with the umbilical cord wrapped around her neck and suffered severe brain damage; she died nine months later. The delivering doctor expressed that had she been shown the monitor’s readings, she would have opted for a cesarean section; in a text to a nurse manager about the unfolding situation, she wrote, “This was preventable.” The mother filed a malpractice lawsuit.
A 2021 ransomware attack led to a different kind of death—the death of a hospital. St. Margaret’s Health in Spring Valley, Illinois, was the victim of a ransomware attack. After the attack, the hospital was unable to submit claims to Medicare/Medicaid or insurers for months, contributing to a financial crisis. The hospital announced it would close its doors in June 2023.