In a first of its kind, a ransomware attack has been directly held responsible for a person’s death. In view of the consequences of the cyberattack, German prosecutor and police have asserted charges of “Negligent Homicide” in the ongoing investigation against ransomware attackers of Düsseldorf University Hospital. As reports suggest, the attack was unintentional and meant for another University. On realization, the ransomware gang provided the decryption key without demanding a ransom, but not before it led to someone’s fatality.
- On September 10, 2020, University Hospital Düsseldorf (UKD) was hit by a ransomware attack, mistakenly. The attackers were targeting another University with a similar name.
- Nearly 30 internal servers were affected in this attack, which limited the health care operations of the hospital to an extent that it had to deregister itself from emergency care providers list.
- A 78-year old lady in need of immediate critical care was asked to be taken to another hospital in Wuppertal, nearly 19 miles (30kms) away. This delay in medical assistance and re-route to another medical facility probably led to her death.
On September 11, 2020, a 78-year old lady from Düsseldorf required emergency medical attention as she faced a ruptured aorta. The lady’s medical history was known and stored on the systems of the health care providers at the Düsseldorf University Hospital. However, the University Hospital was under a ransomware attack that locked out their systems while the lady was being transported to the emergency ward. With the entire hospital system being under a lockdown caused by the cyberattack, the emergency responders in the ambulance carrying the patient were told to shift her to another hospital in Wuppertal, nearly 19 miles (30kms) away. With the unavailability of the patient exact records and data, the doctors at Wuppertal could not do much and the lady, unfortunately, breathed her last.
However, the doctors who attended the lady explained that delay in getting critical medical aid was the primary reason behind her unfortunate demise. It was a no brainer to drive so long when a patient was in dire need of emergency services, but the medics were still following their protocols.
Asserting “Negligent Homicide”
Christoph Hebbecker, a cybercrime prosecutor in the German city of Cologne, told the local media that his office was treating this as a case of “Negligent Homicide” against the ransomware attackers and are further investigating into the matter.
Hebbecker said, “An initial suspicion with regard to negligent homicide is justified”. So far, the investigation for attempted blackmail and computer sabotage has been underway. Further, the exact circumstances that led to the woman’s death will be investigated which will help draw conclusive evidence. But if the delay in services is the primary cause of death then the ransomware attackers can very well be charged with negligent homicide.