20 Sep 2020: Germany: Cyber attack on a hospital leaves a patient dead
The attack compromised the systems of Duesseldorf University Hospital, forcing them to send the emergency patient to a different facility, which apparently resulted in her death.
The investigation of the case is currently underway.
Here's what went down.
Details: Attack affected hospital's emergency systems
As per local media reports, the hackers exploited a cybersecurity vulnerability in Citrix's VPN software - a widely used commercial add-on software - and hampered the IT systems of the German hospital.
The intrusion blocked health workers' access to patient data and forced them to postpone operations and redirect emergency cases to other facilities in the region.
Woman: Woman sent to a hospital 32 km away, died
Among the patients being redirected elsewhere was a woman who was in a life-threatening condition.
She had to be sent to a hospital in Wuppertal, a facility 32 kilometers away from the Duesseldorf University hospital.
As a result, she did not get the emergency treatment on time and passed away. No other fatalities were reported from the incident.
Misdirection: Attackers wanted to target a different university
According to North Rhine-Westphalia state's justice minister, the hospital had 30 of its servers encrypted, of which one had a ransom note.
The message, however, was addressed to a different university and not the hospital itself.
Following this, local authorities raised alarms about the misdirected attack endangering hospital patients, prompting the hackers to back down and deliver a decryption key.
Investigation: Case being investigated, attackers still at large
Prosecutors in Cologne, Germany are investigating the matter, and if it is proven that the woman died due to the diversion to a different facility, they will treat the incident as a case of negligent manslaughter rather than cyber-attack.
Meanwhile, the perpetrators of the hospital attack, whose identities remain unknown, are still at large, as per reports.
First case: This would be the first case of death from cyber-attack
Cyber-attacks have had serious consequences, but this would be the first time an attack has led to the death of an individual.
Experts have warned for years about the risks of such attacks on healthcare facilities, be it against their internet-connected devices, like radiology equipment, or the theft of critical medical data of patients - which can drastically affect their treatment and health condition.