When Teiranni Kidd arrived at the Springhill Memorial Hospital in Mobile, Alabama on July 16, 2019, the expectant mother had no idea the hospital was being held hostage by Russian ransomware. Even after she checked in with staff to give birth, she wasn’t told that a ransomware attack had crippled access to key components of the hospital’s medical records and vital patient data, like fetal heartbeat monitoring equipment.
Tragically, her baby, Nicko Silar, was born with an umbilical cord wrapped around her neck, and the resulting oxygen deprivation to her brain caused a litany of debilitating conditions. Within nine months of her delivery, Nicko Silar was dead.
Kidd’s family has since filed a lawsuit against the hospital and administrators for not disclosing to patients and staff that the hospital was forced to offer compromised care, which they claim directly led to Nicko Silar’s death. The attending OB-GYN, Katelyn Parnell, who is also a defendant in the suit, later blamed the hospital for the baby’s botched delivery, pointing out that she’d been unable to see the fetal monitor readout, and if she’d had a working fetal heart rate monitor, she would have immediately opted for an emergency C-section.
Depending on the results of the lawsuit, Nicko Silar could become the world’s first known death by ransomware.
Ransomware is a form of cybercrime that refers to what happens when hackers break into and lock a network, and then demand ransom to release it. Typically, the ransom is in the millions and is paid in cryptocurrency. In recent years, hackers have targeted manufacturers, transportation/logistics companies and construction firms as well as local governments, school districts and hospitals. The computer security firm eSentire documented in its 2021 Ransomware Report that 292 organizations were hit with such attacks between January 1st and April 30th alone — and all 292 were conducted by just six hacker groups.
Some of the most notable attacks of the last few years have been very costly. Last year, a ransomware offensive against the world’s largest meatpacker, JBS, ended with the company paying roughly $11 million to the hackers. Meanwhile, when the D.C. Metropolitan Police refused to pay ransom to Russian extortionists, the police saw sensitive data leaked. And in May, Colonial Pipeline announced that it had “shut down its 5,500 miles of pipeline, which it says carries 45 percent of the East Coast’s fuel supplies” when targeted by hackers. While the FBI immediately began an investigation, Colonial Pipeline quietly paid a ransom of 75 Bitcoin, which was worth roughly $5 million at the time.
The culprits behind the attack were part of DarkSide, a Russian self-described hacking “affiliate program.” The group was identified by a Bitcoin wallet through the computer security company Elliptic. In its report, Elliptic also noted that “in total, the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million. Ransoms associated with previous attacks were paid to other wallets.”
In June 2021, FBI Director Christopher Wray signalled how serious his agency considers the growing wave of ransomware attacks, comparing them to difficulties the intelligence community faced in the wake of 9/11. “There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Wray told the Wall Street Journal.
Since 2016, ransomware groups have increasingly targeted hospitals and health-care providers. In 2020, these attacks cost the health-care space nearly $21 billion and affected some 600 hospitals, clinics and health-care organizations. Now, as hospitals deal with a global pandemic, the threat is even more serious.
Again, in Teiranni Kidd’s case, the hospital allegedly chose not to inform patients or adequately prepare doctors and staff for what challenges the ransomware attack posed and how much it compromised the hospital’s ability to provide sufficient care. As stated in the lawsuit, “As a result of the cyberattack, nurses and other health-care personnel were forced to use outdated paper-charting methods and paper documentation to record and document Teiranni’s labor and Nicko’s delivery. Some of the paper forms used outdated terminology and had not been used in years.”
The hospital, however, has denied wrongdoing, and released a statement saying, in part, “We are proud of the way the Springhill family maintained [things] while addressing the cybercriminal attack in July 2019. We stayed open and our dedicated health-care workers continued to care for our patients because the patients needed us. We, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so.”
But Kidd’s lawsuit alleges that the hospital “had a duty to disclose that the hospital’s computer and network systems had been crippled by a cyberattack for days” and that “the hospital’s computer and network systems, used for patient care and safety, had been rendered ineffective and inoperable,” which “placed at risk, patient safety.” Had Kidd known of the ransomware attack, she “would have gone to a different and safer hospital for labor and delivery.”
The reality is, ransomware attacks are becoming more and more common in our online world. Moreover, due to the Bush-era Meaningful Use Program initiated in 2008, hospitals receive funds to encourage the use of electronic health records (EHRs), which has led to rapid adoption of new IT by hospitals, but without the IT staff necessary to run and support the new EHRs protocols, putting them at increased risk of such attacks. And so, regardless of what’s determined in Nicko Silar’s case, the care a hospital provides can no longer be measured just by the expertise of its medical staff, because your doctor’s office is only as safe as its last security breach.