A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
When Teiranni Kidd walked into Springhill Medical Center on July 16, 2019, to have her baby, she had no idea the Alabama hospital was deep in the midst of a ransomware attack.
For nearly eight days, computers had been disabled on every floor. A real-time wireless tracker that could locate medical staff around the hospital was down. Years of patient health records were inaccessible. And at the nurses’ desk in the labor and delivery unit, medical staff were cut off from the equipment that monitors fetal heartbeats in the 12 delivery rooms.
Doctors and nurses in the unit texted each other with updates. “We have no computer charting for I don’t know how long,” one manager informed a nurse in a message later filed in court. “They are printing out the labs in the laboratory and sending them by paper,” another worker wrote. One overwhelmed nurse texted, “I want to run away.”
Ms. Kidd’s daughter, Nicko Silar, was born with the umbilical cord wrapped around her neck. The condition triggers warning signs on the heart monitor when the squeezed cord cuts off the supply of blood and oxygen to the fetus. Nicko was diagnosed with severe brain damage. She died nine months later.
Amid the hack, fewer eyes were on the heart monitors—normally tracked on a large screen at the nurses’ station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”
Ms. Kidd has sued Springhill, alleging information about the baby’s condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nurses’ station. If proven in court, the case will mark the first confirmed death from a ransomware attack.
The hospital denies any wrongdoing. In an emailed statement to The Wall Street Journal, Springhill CEO Jeffrey St. Clair said the hospital handled the attack appropriately: “We stayed open and our dedicated healthcare workers continued to care for our patients because the patients needed us and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so.”
Dr. Parnell, who is also named as a defendant in the lawsuit, didn’t respond to detailed requests for comment. In a court filing, Dr. Parnell said that she had been aware of the cyberattack, but “believed Ms. Kidd could safely deliver her baby at Springhill” at the time she was admitted.
The hospital is arguing in a motion that any obligation to inform Ms. Kidd about the hack fell on Dr. Parnell, who has not yet responded to that motion.
Ms. Kidd declined an interview request through her attorneys, citing the pending litigation.
A decade ago, ransomware was a novelty in the cybercrime world—a nuisance for consumers and small businesses that often cost victims a few hundred dollars. Today, U.S. authorities are alarmed at the rising sophistication of ransomware operators, who have taken in hundreds of millions of dollars while causing major outages for transportation systems, gas pipelines and other critical infrastructure. The security firm Recorded Future estimates that there were about 65,000 incidents world-wide last year.
Hospitals have increasingly become targets, with hackers betting that executives will pay quickly to restore lifesaving technology—adding even more pressure to healthcare providers already strained by the pandemic. In May, the Federal Bureau of Investigation warned that ongoing ransomware attacks on medical providers and first responders were putting the public in danger and risked delays in medical care.
Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russian-based Ryuk gang, which was singling out hospitals at the time.
The Journal reported in June that Ryuk had attacked at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the U.S., since 2018. Ryuk ransomware collected at least $100 million in ransom payments last year, according to the bitcoin analysis firm Chainalysis. The group’s average ransom demand is just under $700,000, according to ransomware negotiation firm Coveware. The hackers sign their ransom notes with the image of a fictional death god, Ryuk, from a Japanese graphics novel, giving them their name. Inquiries from the Journal to email addresses used in some of the Ryuk attacks went unanswered.
So far, no deaths have been definitively linked to a hospital attack. However, a statistical analysis by the Cybersecurity and Infrastructure Security Agency found evidence that ransomware can lead to dire consequences for hospitals, said
a senior adviser for the agency, which is part of the Department of Homeland Security.
“We can see that a cyberattack can strain you enough to contribute to excess deaths,” he said.
At Springhill, the hospital refused to pay the ransom when the hackers struck on July 8, 2019, according to a spokesman. He declined to say how much the hackers wanted.
Instead, the hospital raced to contain the damage by shutting down the network and scrambling workarounds used for brief outages. It carried on with its normal patient load during the outage, which stretched on for at least three weeks. The hospital said it was ultimately able to return its systems to service without paying the ransom.
At first, staffers were largely in the dark about what was going on, according to three former medical workers who were there during the attack. Employees arrived to find vague notes taped to their computers saying the hospital’s medical records system, called Sunrise, was down until further notice, according to a former Springhill resident nurse.
“I heard it was Ransomware,” one doctor wrote in a message submitted as evidence in the case by the plaintiffs. “May be a very extended problem.”
Tasks that were previously automated, such as recording vital signs, were suddenly arduous and unfamiliar, particularly for younger nursing staff who had never worked without modern technology, according to two workers at the time.
In the medical imaging departments, radiologists peered into the cramped screens attached to scanning equipment because the dedicated workstations with high-resolution monitors they normally used to examine CT scans and MRIs were down.
In anesthesiology, the absence of medical records “put lives at risk,” said Jeffrey Planchard, an anesthesiologist who worked at Springhill during the outage and now works at Mount Sinai Hospital in Chicago. “Having access to previous anesthesiology records is crucial. What kind of airway are you looking at? What kind of allergies that they may or may not remember?” he said.
The hospital didn’t say anything about an attack at first, saying instead, in response to an inquiry from a local TV news broadcast, that it had experienced a “network event” that had “not affected patient care.” A week later it acknowledged in another press statement that it had suffered a security incident.
That was the same day that Ms. Kidd was admitted.
An ultrasound a week earlier had shown no troubling signs for the pregnancy, according to the lawsuit, but an increase in her blood pressure worried doctors enough to schedule her to be induced in Springhill’s labor and delivery unit. Ms. Kidd didn’t know about the attack when she entered the hospital, according to her lawsuit.
With the computer systems out, nurses in the second-floor maternity ward had to start keeping handwritten paper records. Older staffers tutored their younger colleagues on paper charting, including hand-drawing graphs showing patients’ vital signs.
The lack of central monitoring of the delivery rooms was harder to work around. Normally, vital signs were displayed in real time on a large monitor at the nurses’ station, which a half-dozen nurses and doctors closely track for complications, such as potentially troubling patterns in the fetal heart rate. But those monitors were dark.
“Usually the nurses will instinctively just look at the monitor most of the day, and if anything concerning comes up, they’ll go check on that room,” Dr. Planchard said. A major concern: whether the fetus is getting enough blood and oxygen through the umbilical cord.
To work around the outage, nursing staff put patients in the rooms closest to the nurses’ station and turned up the volume on their bedside fetal heart monitors, according to Dr. Planchard and the former Springhill nurse. Those monitors also spooled out paper showing the rate of the heart beat. The hospital said nurses were instructed to stay in or near their patients’ rooms at all times.
About an hour before the birth, the strip of paper from the monitor recorded clear signals the fetus was in distress, including an abnormally fast heart rate, the lawsuit says.
Because an entangled umbilical cord can cut off the supply of blood and oxygen to the fetus, the condition can be accompanied by an abnormal increase to the heart rate on the monitor as the heart tries to compensate, according to nurses who specialize in obstetrics and newborns. Doctors commonly opt to deliver by C-section when they grow concerned by an increased heart rate or other signals of conditions that could cause brain injury.
It couldn’t be determined if the attending nurse noticed the baby’s rising heart rate, and if so, how it was interpreted. What is clear is that the ransomware outage left only one set of eyes on the monitor.
“If that nurse didn’t recognize it, it would have gone unnoticed,” said Dr. Planchard, who said he was often in the delivery unit to administer epidural anesthesia during the ransomware attack.
At 11:23 a.m., Ms. Kidd’s baby, Nicko, was born unresponsive, with the umbilical cord wrapped around her neck.
On a test of infant health done repeatedly minutes after birth, Nicko scored 0’s and 1’s out of 10, the lawsuit says. A “code blue” was called, where healthcare workers resuscitated the baby, who was soon transferred to a neonatal intensive care unit at a nearby hospital.
She had to be fed intravenously and required medication “around the clock,” according to the lawsuit. She was diagnosed with significant brain damage.
The day after the delivery, the nurse manager said in a text to Dr. Parnell that she was examining the heart monitor’s printout for “what we missed or if we could have called sooner.” Dr. Parnell wrote that, had she known what the strip recorded earlier, she would have C-sectioned Ms. Kidd.
Ms. Kidd filed a medical malpractice lawsuit in the Circuit Court of Mobile County in January 2020, and amended it after her daughter died in April of last year. Trial is set for November 2022.
—Jim Oberman contributed to this article.
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8