By: Margaret House, YLS ‘22

On September 11, 2020, a woman in Germany (referred to here as Patient X) died from an aortic aneurysm while being transported the approximately 20 miles from Düsseldorf to a hospital in Wuppertal. While patients passing away during transit is not usually a newsworthy occurrence, her death is of particular significance; though widely debated, Patient X is thought to be the first person whose death could possibly  be attributed to a ransomware attack.

Unfortunately, the attack on University Hospital Düsseldorf that led to Patient X’s death was not unpredictable or uncommon. The year before the attack in Germany, 764 healthcare providers in America alone fell victim to ransomware attacks. Globally the instances of ransomware attacks on healthcare entities grows rapidly each year, increasing by 35% from 2016 to 2019. Cybercriminals are also becoming more emboldened, demanding higher payments for the return of data, as hospitals and healthcare providers are more likely to pay the ransom in order to return to normal operations. Understanding the impact of ransomware attacks on hospitals is a crucial component of starting to determine how actors involved in these attacks should, and can, be held liable for their conduct. This article can only scratch the surface of these questions but will raise areas for future exploration and research.

Impact of Ransomware Attacks on Hospitals

Ransomware, which is used to extort its victims into paying large sums of money to retrieve their encrypted data, is a pernicious form of cyberattack that has proven to be quite lucrative for cybercriminals when used against healthcare providers, who often pay the ransom to regain access to their data. For example, Cybercriminals in 2015 attacked MedStar Health in Washington, D.C. and demanded 45 bitcoin, or about $19,000, to restore the system’s data. Even more astonishingly, ransomware attackers in 2019 “demanded $14 million worth of bitcoin in a ransomware attack that affected 110 nursing homes across the United States.” Research conducted by RiskIQ suggests that the average payment for a ransomware attack on a direct patient care facility is about $59,000, a figure that “does not include downtime and recovery costs” or the costs of litigation by patients.

Outside of financial costs, ransomware attacks significantly hamper hospitals and their ability to treat patients. The research by RiskIQ also found that the average ransomware attack causes a hospital to lose function, at least in part, for about 10 days and results in about an 8% loss in data. Examples of major attacks provide context to these numbers, highlighting the devastation of downtime and data loss. In 2017, the ransomware “WannaCry”, thought to have been launched by the North Korean government, was used to infect several large companies globally. The UK’s NHS was most severely impacted, with the ransomware infecting “at least 81 of the 236 National Health System (NHS) hospitals in England plus 603 primary care and 595 medical practices.” The ransomware shut down “thousands of pieces of medical equipment,” caused nearly 20,000 appointments to be canceled, and forced patients seeking urgent care to be diverted to other facilities. Thus, the impact of these attacks on patient care is astronomical, potentially leading to worse outcomes and loss of life.  

Questions of Legal Causality

Given the large number of medical institutions that have fallen victim to ransomware and the severe disruptions to patient care that follow such an attack, it is almost surprising that there are not more deaths that can be attributed to these cybercrimes. Ultimately, the issue is not whether ransomware attacks hurt patients, they clearly do, but rather that legal causation is difficult to prove. For example. the RiskIQ Intelligence Brief, citing a study by Vanderbilt University’s Owen Graduate School of Management, found that “[h]ospitals that have been hit by a data breach or ransomware attack can expect to see as many as 36 additional deaths per 10,000 heart attacks per year” due to delays in treatment caused by the ransomware attack. These additional deaths, however, have not been considered to have been a direct result of ransomware attack itself, largely because the causal connection seems to be too tenuous.

In contrast, the fact that University Hospital Düsseldorf had to turn away the ambulance transporting Patient X because its whole IT network had been crippled by the ransomware was thought by many to be enough of a causal link to consider Patient X’s death a result of the attack. Still, some challenge this contention because autopsy results showed that it is likely Patient X “would have died regardless of which hospital she had been admitted to.” As such, prosecutors in Cologne, Germany ultimately gave up pursuing negligent homicide charges against the hackers because they were unable “to show that the attack played a ‘decisive role’ in the death” of Patient X, the standard for prosecuting such a crime under their legal system. Other country’s face similar requirements: they must show a significant level of causation between the cyberattack and the death that occurred. Given that more attacks on hospitals are certain to occur, the probability of fatalities is very high, making the question of how to prove such causality incredibly pressing. Thus, further research must be done to track long-term patient outcomes post-ransomware attacks and to try to establish some link between the cybercriminals’ conduct and later deaths.

Interestingly, the chief public prosecutor in Cologne also considered investigating whether the hospital’s IT staff could be held culpable in any way for the death of Patient X. While the prosecutor did not end up pursuing this line of inquiry, the possibility raises an important point about causation and responsibility. Does the hospital have a duty to protect its patients from the effects of a cyberattack such that it can be held liable, either civilly or criminally, for deaths resulting from such an attack? Under this theory, the law would likely distinguish between actors that had acted recklessly or negligently, that is did not take all the available precautions that a reasonable person/entity would take to protect the hospital’s IT system, and those who had maintained the IT security to the best of their ability but were still unable to defend against more powerful hackers. Further reflection is needed both about whether tort or criminal law could hold IT staff liable for cyber breaches and whether they should. It seems that doing so would expand liability unreasonably but may provide necessary incentives for hospitals to invest in securing their servers, something that is oft neglected and has allowed too many attacks to occur already.

While Patient X’s status as the first fatality of a ransomware attack is tenuous, her death is an ominous harbinger. There will inevitably be fatalities that can be directly and unquestionably attributed to cyberattacks. When they do occur, will we be ready to prove culpability in a way that satisfies both our sense of justice and the requirements of our legal systems? The uncertainty around Patient X’s passing indicates that we are not, in fact, prepared for this inevitability.

Suggested Readings:

• Sung J. Choi & M. Eric Johnson - Data breach remediation efforts and their implications for hospital quality

• Deborah R. Farringer - Send Us the Bitcoin or Patients Will Die: Addressing the Risks of Ransomware Attacks on Hospitals

• New York Times - Cyber Attack Suspected in German Woman’s Death

• Wired - The untold story of a cyberattack, a hospital and a dying woman