German authorities have opened a “negligent homicide” investigation related to a ransomware attack that struck a hospital in Düsseldorf on Sept. 10, according to local press reports.
The cyberattack caused network outages that forced the clinic to reroute patients in need of emergency care elsewhere. One 78-year-old woman who required immediate attention for an aneurysm died after being sent to another city, reports Bild, a German newspaper.
Christoph Hebbecker, who heads a cybercrime unit at the public prosecutor’s office in Cologne, said Friday that the inquiry was “justified,” though the circumstances of the woman’s death are still being investigated, reports Kölner Stadt-Anzeiger, another German newspaper. The homicide probe adds to investigations of blackmail and computer hacking already underway.
Some cybersecurity experts have suggested that the fatality could be the first recorded death linked to a ransomware attack. The hospital and public prosecutor’s office did not immediately return Fortune’s request for comment.
Holding health care hostage
When an ambulance conveying the patient approached the University Hospital of Düsseldorf on the night of Sept. 11, it was redirected to a health care facility in Wuppertal, a city 20 miles east.
“The treatment that was arranged at Düsseldorf University Hospital was not possible there due to a hacker attack,” said Wolf-Tilman Baumert, spokesman for the public prosecutor’s office in Wuppertal, as quoted in Bild. The change of destination is said to have delayed the patient’s receipt of medical attention, critically, by an hour.
The woman died shortly thereafter. “The deceased has already been autopsied as part of a death investigation,” Baumert said.
Police are said to have contacted the hackers, who left behind a blackmail note, and persuaded them to supply a digital key that would decrypt the hospital’s 30 infected computer servers. The attackers allegedly did not know they had targeted an emergency clinic, German officials said.
The hackers sabotaged the hospital’s IT network through a known flaw in Citrix, provider of a VPN tool, said Arne Schönbohm, president of the Federal Office for Information Security, Germany’s national cybersecurity agency. The agency was called in to help get the hospital back online.
A Citrix software update had been available for IT administrators to patch their systems since January. “We warned of the vulnerability back in January and pointed out the consequences of its exploitation,” Schönbohm said in a statement. “I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately.”
Hackers could have subverted IT systems vulnerable to the Citrix security hole prior to the updated software’s release in January. That means hackers could still have access to supposedly patched networks.
The German cybersecurity agency said that any organizations that use the products Citrix Gateway (formerly NetScalerGateway) and Citrix Application Delivery Controller should look for possible signs of compromise, or consult with external cybersecurity professionals for an audit.
First ransomware death?
If the ransomware attack did indeed lead to a patient’s death, however indirectly, the incident could go down in history as a first of its kind.
Ciaran Martin, former chief executive of the U.K.’s National Cyber Security Centre, told BBC that the incident was unprecedented. “If confirmed, this tragedy would be the first known case of a death directly linked to a cyberattack,” he said.
Cybercriminals frequently exploit vulnerabilities in commercial software to seize control of victims’ machines. In a ransomware attack, the bandits typically demand an extortion payment, usually denominated in a cryptocurrency such as Bitcoin.
Hospitals have been hit by an increasing number of ransomware attacks in recent years. Though law enforcement agencies advise people not to pay such ransoms, since they encourage more crime, sometimes, in the interest of reclaiming control of computer systems, people do—especially in the medical field, where lives may be on the line.
“Unfortunately, it was both entirely foreseeable and inevitable that a ransomware attack would eventually result in the loss of life,” Brett Callow, a threat analyst at Emisoft, a cybersecurity firm that tracks ransomware attacks, told Fortune.
“This tragic incident should be a wake-up call,” Callow said.
Investigating the death
It’s unclear to what extent the hackers are to blame for the fatality.
“A lot is still vague about it, and it looks like the hospital may have been negligent as well,” says Dmitri Alperovitch, cofounder and executive chairman of Silverado Policy Accelerator, a nonprofit think tank focusing on national security.
The hospital could have better defended itself by applying the available Citrix patch months earlier and keeping better tabs on its network, for instance. “It’s still pretty unclear as the reporting is very shallow,” said Alperovitch, who is also a cofounder of CrowdStrike, a cybersecurity firm.
Thomas Rid, a professor of strategic studies at Johns Hopkins University, urged circumspection too. “It’s important not to blow this incident out of proportion, as it may not be as unique as people think,” Rid told Fortune.
“The causality is not clear either,” Rid continued. “Whether the patient would have died without the ransomware incident first, we just don’t know.”
International organizations such as the United Nations have called for nation states and cybercriminals to uphold a “digital ceasefire” amid the ravages of the coronavirus pandemic. While some reports have suggested that the hackers, in this case, never intended to knock out a medical clinic—German officials said the hospital might have been infected accidentally—it would seem no armistice is being honored.
The hospital is still attempting to recover its IT systems. “As things stand today, we expect that we will be able to resume emergency care…within the next week,” said Frank Schneider, the clinic’s medical director, in a statement.