A Cyberattack on a Hospital Led to the Death of a ChildCybersecurity oversights of a hospital in Mobile initially left a newly delivered baby with brain injuries, eventually leading to the child’s death. The 2021 July ransomware attack comes two years after a previous cybersecurity attack on the hospital, leaving patients’ lives at risk. While this is the first recorded death resulting from a cybersecurity attack, there have been thousands of other attacks in the US and abroad over the years.

Teiranni Kidd, the child’s mother, is now suing the hospital. She claims that the medical center did not inform her that the computers were down due to any kind of cyberattack occurring within the hospital. Kidd claims that she should have known about the vulnerability of her baby’s delivery before choosing to go to Springhill Medical Center, implying that she could have sought care at another hospital.

Kidd previously filed a lawsuit against the hospital in January of 2020, but amended the original suit after her daughter’s death. (Her original claims against the hospital are unknown.) The amended version of the lawsuit is considered a landmark case in the world of legal proceedings as it is the first known one where the official cause of death was caused by cyber extortion.

What is a cyberattack?

Cyberattacks and other forms of ransomware and digital extortion are becoming some of the newest and most innovative ways criminals have targeted prominent organizations for money. It is reportedly becoming an increasingly problematic issue across society, creating a multi-billion-dollar cybercriminal industry.

Ransomware is a specialized form of malware designed by skilled hackers locking up and preventing access to computer programs. In exchange for renewed access to the program, ransomware attackers demand exorbitant amounts of money. This contrasts with other cyberattacks that may directly steal financial information, implement malware, or utilize phishing techniques.

How common are cyberattacks against hospitals?

By some reports, over 800 healthcare facilities, networks, and hospitals in the United States alone have experienced some kind of ransomware attack in 2021. This is not constrained to the United States alone, however. A previous suit recorded in Germany claims that a woman died due to a ransomware attack on the hospital where she was receiving care. While judicial officials in Germany eventually decided that there wasn’t sufficient evidence that ransomware caused her death, the issue still indicates a growing problem worldwide.

This is not the first cyberattack against this hospital

This ransomware attack against Springhill Medical Center is not the first one. The healthcare center in 2019 announced to the public that it had been a victim of a “network security incident” – a phrase commonly used by organizations when referring to a cyberattack.

WKRG was the local network that originally picked up the 2019 cyberattack story, stating that Springhill Medical Center had been seeing a typical number of patients at the time but ended up turning numerous away due to the attack. Kidd and others in the community are pointing to Springhill’s previous attack and lack of a security system to indicate that it should bear liability for the child’s death.

Can ransomware lead to medical malpractice?

Ransomware is especially problematic for healthcare facilities as its networks contain critical information about patients and their health statuses. Hospital monitor patients, update health records, and send personal information to pharmacies while online. Certain new medical devices (like pacemakers) will send updates to doctors using their networks. Ransomware can jeopardize emergency lines of communication between hospital staff, cause a person’s heart to stop, and disperse personal data. The issue of life-threatening cyberattacks has been foreseen and feared by cybersecurity professionals for years, making the Springhill Medical Center case important in the public’s eyes.

Does liability fall on the facility in a ransomware attack?

As Springhill Medical Center failed to adequately provide proper medical service, communicate its network issues with Kidd, and update its cybersecurity measures following the 2019 attacks, the southern facility may be facing severe legal consequences. If the allegations are true, Kidd may have a strong claim for medical malpractice.

Of course, the real-life consequences of such issues should be considered. As previously mentioned, cybersecurity professionals have indicated that the vulnerability of networks in prominent organizations could lead to life-threatening effects. The death of Kidd’s newly born daughter is one example of this, but does not speak for the many other people who have experienced severe and life-altering injuries due to oversight.

Medical facilities sign contracts, protecting your right to private record-keeping, informed consent, and other essential assurances. Leaving you and your community vulnerable to attacks such as these violates many of the guarantees people are afforded when seeking care at a medical center.

Please contact Paulson & Nace, PLLC, through this contact form or by calling 202-463-1999.