HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records.

Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 21 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner.

The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could not be accessed.

The medical clinic was forced to de-register from emergency care, postponed appointments and outpatient care, and all patients were advised not to visit the medical clinic until the attack was remediated. A week later and normal function at the hospital has still not resumed, although the hospital is now starting to restart essential systems.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to a recent Associated Press report, 30 servers at the hospital were affected. A ransom demand was found on one of the encrypted servers. The hospital alerted law enforcement which made contact with the attackers using the information in the ransom note.

It would appear that the attackers did not intend on attacking the hospital, as the ransom note was addressed to Heinrich Heine University in Düsseldorf, to which the medical clinic is affiliated. Law enforcement officials made contact with the attackers using the information in the ransom note and told the attackers that the hospital had been affected and patient safety was at risk.

The attackers supplied the keys to decrypt files and made no further attempts to extort money. No further contact has been possible with the attackers. Law enforcement is continuing to investigate and it is possible that charges of negligent homicide could be brought against the attackers.

Until now there have been no confirmed cases of ransomware attacks on healthcare facilities resulting in the death of a patient, but when attacks cripple hospital systems and patients are prevented from receiving treatment for life threatening conditions, such tragic events are sadly inevitable.

Several ransomware gangs have publicly stated that they will not conduct attacks on medical facilities, and if hospital systems are affected, keys to decrypt files will be provided free of charge. However, even if keys are provided to decrypt files, recovery from an attack is not a quick process. Other ransomware operations have made no such concessions and continue to attack healthcare facilities.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.