German authorities said Thursday that an apparently misdirected ransomware attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.
The woman’s death appeared to be the first resulting from a ransomware attack, even if indirectly so.
The Duesseldorf University Clinic’s systems have been disrupted for a week. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in “widely used commercial add-on software,” which it didn’t identify.
As a consequence, systems gradually crashed and the hospital wasn’t able to access data; emergency patients were taken elsewhere and operations postponed.
The hospital said that that “there was no concrete ransom demand.” It added that there are no indications that data is irretrievably lost and that its IT systems are being gradually restarted.
A report from North Rhine-Westphalia state’s justice minister said that 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported. The note—which called on the addressees to get in touch, but didn’t name any sum—was addressed to the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not to the hospital itself.
Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data. The perpetrators are no longer reachable, according to the justice minister’s report.
Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died.
Given the mounting pace of ransomware attacks that have crippled everything from major cities to school districts, the death was no surprise to Brett Callow of Emsisoft, a cybersecurity firm that closely tracks ransomware.
“This was pretty much inevitable,” he said.
In the U.S. alone, 764 healthcare providers were victimized last year by ransomware, according to data compiled by Emsisoft. It was not the first time an emergency patient had to be rerouted to a different hospital as a result.