Even though it was subsequently disproved, a lot of people still claim that a patient death following a ransomware attack on a German hospital was the result of the attack. It wasn’t, but WSJ has a story about what might be the first death that can be attributed to a ransomware attack.
Kevin Poulsen, Robert McMillan and Melanie Evans report on a tragic case involving a baby born with the umbilical cord wrapped around its neck. As a result of a ransomware attack that was still unresolved after 8 days, warning signs on fetal monitors were overlooked or not shared timely with the obstetrician. The baby suffered severe brain damage from oxygen deprival and died at 9 months.
Amid the hack, fewer eyes were on the heart monitors—normally tracked on a large screen at the nurses’ station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”
Read about the case on WSJ. I would guess that regardless of any litigation, this baby’s death has haunted the personnel involved in the case.
Whoever the ransomware threat actors were, they should be on the sanctioned list and a high priority for law enforcement. A baby died because care was impacted. Negligent homicide? Murder? I’m not a prosecutor, but I think they need to be found and charged. And brought to this country to stand trial.
The family may understandably try to hold the hospital accountable on some level for decisions it made in response to the attack or for missing the monitor’s warning, but when all is said and done, this is on the criminals.