Fatality After Hospital Hacked

A woman in need of urgent medical treatment has died after a hospital under cyber-attack was unable to admit her. 

Attackers struck the Düsseldorf University Clinic (DUC) last Thursday, causing IT systems at the major hospital to fail. Because of the attack, a woman seeking emergency treatment at the hospital on Friday night died after she had to be transported to a hospital in another city for treatment.

Treatment of the deceased woman was delayed by an hour as she had to travel an additional 20 miles to a hospital in Wuppertal. 

The DUC said that computer forensic experts investigating the incident determined that threat actors had managed to exploit a vulnerability in "widely used commercial add-on software." The software that contained the weakness was not named by the hospital.

Following the attack, systems at the DUC gradually crashed, preventing the hospital from being able to access data. As a result, operations were postponed, and emergency patients were redirected to alternative healthcare providers. 

Hospital staff said that they believe data temporarily placed off limits as a result of the cyber-assault has not been irretrievably lost. A week on from the attack, the DUC's IT systems are slowly being restarted. 

In what may have been a deadly mistake by the attackers, it seems the real target of this cyber-crime may have been Heinrich Heine University, with which the DUC is affiliated.

News agency DPA reported that 30 servers at the hospital were encrypted last week and an extortion note was left on one of the servers, according to a report from North Rhine-Westphalia state's justice minister.

The note was addressed to the Heinrich Heine University and not the DUC. It asked for the university to make contact but did not mention a specific ransom demand. 

Düsseldorf police used the contact details given in the note to reach out to the attackers, informing them that their attack had impacted a hospital. The attackers subsequently provided a digital decryption key and made no attempt to extort money. 

Communication with the attackers has since broken down. An investigation has been launched that could see the perpetrators charged with negligent manslaughter.

What’s Hot on Infosecurity Magazine?