Cloudy & Present Danger: Medical Professional Liability & The Increase in Healthcare Cyber Threats

Kidd v. Springhill Hospitals Inc. 

The healthcare industry has always been an inviting setting for a cybercriminal.  It is an industry that is highly dependent on technology, data transfer, and innovation; it is also tightly regulated with use and disclosure requirements.  The intersection of these traits has been a breeding ground for various types of cyber attacks, including data breaches, DDoS (distributed denial of service), phishing and fraud scams, and ransomware attacks.  Just recently, this intersection also became an attractive platform for medical malpractice lawsuits.  Last year a lawsuit was filed in Mobile, Alabama alleging negligence on the part of a hospital and its clinicians for failure to provide adequate care to a mother and her unborn child during a ransomware attack.[1]  Despite being a matter of first impression for the United States judicial system, this lawsuit is hardly surprising.

On July 9, 2019, Springhill Memorial Hospital in Mobile, Alabama fell victim to a sophisticated ransomware attack when cyber attackers knocked the hospital’s IT system, including its electronic medical record, offline for approximately three weeks (after being disabled, the attackers encrypted the entire IT system to justify a ransom).[2]  The attack also rendered useless countless medical equipment throughout the hospital, including patient monitoring devices such as fetal heart monitors.  While Springhill publicly acknowledged the attack shortly after it occurred, it claimed that the attack “would not affect patient care,” and that patients could be assured of high-quality services.[3]

A week after the ransomware attack, Teiranni Kidd presented to Springhill for delivery of her daughter.  In her lawsuit, Ms. Kidd alleges that she was unaware of the attack, and that had she known about it, much less the extent to which it had wreaked havoc on the hospital’s IT infrastructure, she would not have given birth at the hospital.  Nevertheless, on July 16, in the midst of the attack, Ms. Kidd gave birth to her daughter, Nicko.  During the delivery Nicko had her umbilical cord wrapped around her neck, depriving her of oxygen, which ultimately resulted in severe brain damage.  Nine months after birth, Nicko passed away due to complications from the brain damage.

Immediately following the delivery, the obstetrician and nursing staff texted each other in an effort to conduct an assessment on what went wrong. Specifically, the obstetrician wanted to know why she was not made aware of certain heart rate reports.  In hindsight, she said, had she appreciated the severity of the situation she would have immediately reverted to caesarean section: “I need [you] to help me understand why I was not notified…I know bad things happen and sometimes you can’t control it but this was preventable,” she texted her colleague. [4]

According to Ms. Kidd’s lawsuit, an operational fetal heart monitor would have easily detected the lack of blood supply and oxygen to the fetus.  However, as a direct result of the ransomware attack, the heart monitors were not functioning properly.  Because of the malfunction, the obstetrician unknowingly opted against the appropriate clinical decision of a C-section.  This fateful decision, the lawsuit argues, ultimately killed Nicko.

Kidd is still pending in state court in Alabama, and it is likely that it will take years of litigation to sort through the liability issues.  Despite this lag, it is a stark reminder that cyberattacks like this one are only increasing in severity and sophistication.  According to a report from Check Point, a global cybersecurity firm, healthcare ransomware attacks increased 102% in 2021 compared to the year prior.[5]  In fact, the healthcare sector has the highest volume of ransomware attempts with an average 109 attempts per entity, per week. The next highest volume sector, utilities, averages 59 attempts per entity, per week.[6]

For years, industry experts and government regulators have sounded the alarm on the increasing frequency of cyber threats within the healthcare industry.  The WannaCry ransomware attack, which took down the United Kingdom’s National Health Service in 2017, was an early and significant example.[7]  However, with the insatiable appetite for more medical advances, expedited patient access to records, and better inter-connectivity between devices, the opportunities for attack are ever increasing.  The 2020 HIMSS (Healthcare Information and Management Systems) Cybersecurity Survey indicated that 70% of hospitals surveyed had suffered a “significant security incident” within the past twelve months.[8]  Such staggering numbers are likely to only increase.

What to Do?

The Healthcare industry must meet these attackers with equal zealousness and sophistication.  Of course, that is easier said than done, and it requires a financial and resource commitment that is beyond any one person or group.  At the individual level, however, be mindful about where you are sending and receiving emails and texts. Stay up-to-date on software upgrades and installations.  And be sure to alert your colleagues of any suspicious electronic communications.

 

[1] Kidd v. Springhill Hospitals, Inc. (2020), https://www.documentcloud.org/documents/21072978-kidd-amended-complaint ; the lawsuit was originally filed in January 2020; however, it was amended in 2021 after the death of the 9-month old baby.

[2] https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116

[3] Kidd v. Springhill Hospitals, Inc. (2020).

[4] Id.

[5] https://healthitsecurity.com/news/ransomware-attacks-surge-102-in-2021-as-triple-extortion-emerges

[6] Id.

[7] https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf

[8] https://www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/