A German woman has died after a hospital was unable to admit her due to being hacked, which forced authorities to transfer her unsuccessfully to another hospital.
Authorities have said that the major hospital in Duesseldorf, Germany was hit by a ransomware attack, which locked up its IT system until a ransom was paid by the hospital to hackers.
When medical workers tried to admit her to the hospital for “urgent treatment,” they were turned away and forced to travel 32-kilometers to the Wuppertal hospital, delaying her treatment by more than an hour.
The Duesseldorf University Clinic has said that its systems were hit a week before the attack, with investigators determining hackers were able to target a vulnerability in a piece of “widely used commercial add-on software.”
According to a report from the AP, “systems gradually crashed and the hospital wasn’t able to access data; emergency patients were taken elsewhere and operations postponed.”
It’s believed to be the first time someone has died as a result of a ransomware attack, data breach or hack. To make things worse, the hospital says that “there was no concrete ransom demand,” in exchange for handing over control of the hospital’s IT network, leaving administrators confused as to their course of action.
German media outlets are reporting on documents from the North Rhine-Westphalia justice minister that say more than 30 servers at the Duesseldorf University Clinic were targeted by hackers and encrypted last week.
Investigators say that the ransom note left by hackers was addressed to the Heinrich Heine University, which the hospital is affiliated with, suggesting that hackers could have been trying to target the university and not the hospital.
To find out more about an Information Security Management System like ISO 27001, click here for your Free Gap Analysis Checklist.
According to the AP, “Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data.”
The hackers are no longer contactable, according to the Justice Minister.
Infosecurity Magazine is reporting that “hospital staff said that they believe data temporarily placed off limits as a result of the cyber-assault has not been irretrievably lost. A week on from the attack, the DUC’s IT systems are slowly being restarted.”
Investigators are looking for the hackers, and intend to charge them with suspicion of negligent manslaughter in connection to the death of the woman who was unable to be admitted to the Duesseldorf University Clinic.
Brett Callow of Emsisoft has told the media that as hackers continue to target vital infrastructure, schools, universities and hospitals with ransomware attacks, the death of the woman represented something that “was pretty much inevitable.”
Research from Callow’s firm, Emsisoft showed that just in the U.S., more than 764 healthcare providers were targeted in 2019 with ransomware attacks, adding that this was not the first time a patient requiring treatment was forced to be relocated in the wake of a data breach.
Earlier this week we reported on the latest ‘Cost of a Data Breach’ report from IBM, who said that the average cost in remediating a data breach was USD $3.86 million. Authors of the report also mentioned that healthcare providers were a top priority target for hackers looking to launch a ransomware attack, due to the sensitive nature of information and systems they can take control of.