Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack and that the mother was not informed that patient care had been affected by the incident.

Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts.

Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”

During the system downtime, Teiranni Kidd arrived at the hospital to have her baby delivered. Her baby was born on July 17, 2019 but tragically the umbilical cord had become wrapped around the baby’s neck resulting in severe brain damage. Following the birth, Kidd’s daughter Nicko was transferred to a neonatal intensive care unit. Due to the brain damage, Nicko required frequent oxygen supplementation, had to be fed through a gastrointestinal tube, and needed around the clock medical care. Nicko died 9 months later on April 16, 2020.

In January 2020, a lawsuit was filed in the Circuit Court of Mobile County, AL on behalf of Teiranni Kidd, as mother and next friend of Nicko Silar. The lawsuit alleges the hospital failed to inform the plaintiff about the cyberattack and outage, and had the hospital done so, she would have chosen a different hospital for labor and delivery.

The lawsuit alleges physicians and nurses at Springhill Medical Center failed to conduct multiple tests prior to the birth which would have revealed the umbilical cord had wrapped around the baby’s neck and that those tests were not conducted due to the distraction caused by the ransomware attack.

The lawsuit alleges a wireless tracker used to locate medical staff was out of order, patient health records were inaccessible, and electronic systems that provided fatal tracing information were also not working. The lawsuit alleges patient information was not available at the nurses’ station and the only fetal monitoring information was a paper record at the patient’s bedside in the labor and delivery room.

“As a result, the number of healthcare providers who would normally monitor [the plaintiff’s] labor and delivery were substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which claims medical malpractice and wrongful death.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” according to the lawsuit.

The lawsuit alleges that as a proximate consequence of the non-disclosure of the attack and outage, the baby suffered “personal injuries and general damages, including permanent injury from which she died.” The hospital has denied any wrongdoing.

Following a ransomware attack, hospitals continue to provide medical services to patients in their care and follow their emergency protocols and switch to recording patient information on paper charts and conducting normally automated processes manually. It is common for emergency patients to be redirected to alternative facilities as a precaution while systems are restored and access to medical records is regained.

This is the first case where a ransomware attack is alleged to have resulted in a patient death, although it is not the only attack where patient safety has been put at risk. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on healthcare ransomware attacks during the pandemic and confirmed the impact they have had on patient care and outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA in the report.

Also, a recent survey on IT and IT security professionals at healthcare delivery organizations in the United States conducted by the Ponemon Institute on behalf of cybersecurity risk management firm Censinet revealed respondents believed ransomware attacks resulted in an increase in the length of patient stays in hospital, delays in testing, and an increase in medical complications. 22% of respondents believed there was an increase in patient mortality after a ransomware attack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.