It was our nightmare realized: a medical center was completely paralyzed by a ransomware attack and someone died as a result (SEE UPDATE2 below for correction on that).
As of last week, the University Clinic in Düsseldorf reported that it was in a state of emergency. Operations had been canceled, and ambulances had to be redirected to other clinics. On September 10, the clinic had posted an announcement:
A Google translation reads, in part:
There is currently an extensive IT failure at the University Hospital Düsseldorf (UKD). This means, among other things, that the clinic can only be reached to a limited extent – both by telephone and by email.
The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made.
Days later, the clinic remained paralyzed and unable to function normally, even as of yesterday.
And now we read that the threat actors’ attack has resulted in a death. Associated Press reports:
German authorities say a hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.
Did the threat actors intend to hit the hospital? They may not have. According to the AP, citing German authorities, the extortion note appeared intended for the affiliated university, not the hospital. And when “police told hackers the hospital was affected, they provided a decryption key. The hackers are no longer reachable, they said.”
Does it matter that the threat actors may not have intended to hit the hospital and just hit it in error? Their criminal actions resulted in the death of someone, and they should be held accountable for that.
So far, I can find no mention of what type of ransomware this was or who the threat actors were.
Update: AP has now provided some additional details that do make it sound like the attackers intended to hit the university and not necessarily the hospital. The report also makes clear that the ransomware attack resulted in the patient needing to be transported another 20 miles away before they could initiate treatment – an hour’s delay.
Update2: Subsequent investigation reveals that the patient’s death was likely not due to the delay in receiving care secondary to having to be transported 20 miles away. So this death should not be directly attributed to the ransomware attack.