An Alabama Hospital is facing a medical malpractice lawsuit because allegedly the crucial data that could have averted the demise of a baby wasn’t accessible as a result of a ransomware attack.
Springhill Medical Center located in Mobile, AL encountered a ransomware attack in 2019 resulting in extensive file encryption and a serious IT system outage. The healthcare provider had to take offline its computer systems for 8 days. During this downtime, the hospital still provided patient care with the hospital staff following the hospital’s emergency practices. Without computer systems access, the staff recorded patient data on paper charts. Springhill Medical Center released a report regarding the incident and stated it had no effect on patient care.
Teiranni Kidd went to the hospital to give birth to her baby at the time of the system downtime. She gave birth on July 17, 2019, unfortunately, the umbilical cord was wrapped around the neck of the baby leading to serious brain damage. After the birth, Kidd’s daughter Nicko was moved to a neonatal intensive care unit. Because of the brain damage, Nicko needed feeding through a gastrointestinal tube, constant oxygen supplementation, and 24/7 medical care. On April 16, 2020, Nicko passed away after 9 months of being born.
In January 2020, Teiranni Kidd filed a lawsuit in the Circuit Court of Mobile County, AL. The lawsuit claims the hospital did not notify the plaintiff regarding the ransomware attack and system outage. If the hospital had done so, Kidd would have decided to go to another hospital to give birth.
The lawsuit states doctors and nurses at Springhill Medical Center did not perform several tests before the birth that would have shown the problem of the umbilical cord being twisted around the baby’s neck. Those tests were not done because of the problem brought about by the ransomware attack.
The lawsuit claims a wireless tracker utilized to find medical staff was not operational, patient medical records were unavailable, and electronic systems that provided fatal tracing data were likewise not functioning. The lawsuit states nurses’ station did not have the patient data and the only fetal monitoring data used was a paper report located at the patient’s bedside in the delivery room.
Consequently, the number of healthcare workers who would typically watch [the plaintiff’s] labor and delivery were considerably less and essential safety-critical layers of redundancy were lacking. The lawsuit, hence, claims medical malpractice and wrongful death.
Defendant Springhill Memorial Hospital conspiratorially hid, covered up, and did not make known critical patient safety-related facts, and additionally created an incorrect, misleading, and deceitful narrative regarding the July 2019 cyberattack by intentionally not disclosing crucial factual information.
The lawsuit claims that as a proximate outcome of the non-disclosure of the cyberattack and systems outage, the baby sustained personal injuries and general damages, which include permanent injury causing her death. The hospital did not confess to any wrongdoing.
After a ransomware attack, hospitals still offer medical services to patients and observe their emergency practices and use paper charts for recording patient information, and conduct usually automated processes manually. Most emergency patients are taken to alternate facilities as a safety measure as systems are recovered and access to health records is restored.
This is the first report of a patient’s death allegedly because of a ransomware attack, though it’s not the only cyberattack that puts patient safety at risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report that during the pandemic, ransomware attacks had a negative impact on patient care and outcomes.
Additionally, Ponemon Institute conducted a recent survey on behalf of cybersecurity risk management company Censinet that revealed ransomware attacks led to longer patient stays in hospital, slowdowns in testing, and greater medical complications. The survey also showed that 22% of respondents believed that patient mortality increased after a ransomware attack.