A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. The hospital couldn’t accept emergency patients because of the attack, and the woman was sent to a health care facility around 20 miles away, the Associated Press reported.
The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.
Health care facilities are one of the biggest targets for cyberattacks, and cybersecurity experts have warned for years that most hospitals aren’t prepared. They rely heavily on devices, like radiology equipment, that are often connected to the internet. Without those tools, they aren’t as able to treat patients.
“If systems are disrupted over the internet, by an adversary or an accident, that can have a profound impact on patient care,” says Beau Woods, a cybersecurity advocate and cybersafety innovation fellow with the Atlantic Council, told The Verge last year.
Even attacks that target patient data, and don’t directly impact medical devices, can hurt patient outcomes: one study found that a hospital’s death rate from heart attacks goes up in the years after a data breach. That’s probably because hospitals have to divert resources to respond to the attack or upgrade software in a way that changes how doctors operate.
Major cyberattacks, like the 2017 WannaCry cyberattack, have shut down major hospital systems — WannaCry took down the United Kingdom’s National Health Service, for example. No deaths were directly linked to that attack, but most experts warned it was only a matter of time.
German authorities are still investigating this woman’s death. If her diversion to another hospital is found to be responsible for her death, police may treat the cyberattack as a homicide.