On the night of September 11, paramedics in Düsseldorf, Germany, were alerted to the deteriorating condition of a 78-year-old woman suffering from an aortic aneurysm. What began as a routine pick-up took a nasty turn when they called the local university hospital to inform staff of their impending arrival. They were told that the accident and emergency department was closed, so they couldn’t accept the patient.
Instead, the ambulance was directed to Helios University Hospital in Wuppertal, 32 kilometres away, which delayed the patient's treatment by an hour. She died shortly after.
The tragic sequence of events drew the attention of cybercrime officials. A ransomware attack, where hackers encrypt data and then demand payment to unlock it, had forced the hospital to turn the ambulance away. The attack compromised the digital infrastructure that the hospital relies on to coordinate doctors, beds, and treatment, forcing the cancellation of hundreds of operations and other procedures. It also limited the hospital’s capacity drastically: whereas it normally treats more than 1,000 patients each day, it could attend to no more than half this during and after the attack. Stopping new admissions was necessary to protect those who were already inside.
Following the attack, it was suggested that this may have been the first instance of death by ransomware. Prosecutors in Cologne geared up to pursue the hackers, on the assumption they could be identified, for negligent homicide, meaning the killing of another person through negligence or without malice. To be successful, they’d need to establish legal causation – essentially that the attack, and the delay in treatment it engendered, contributed sufficiently to the fatality.
This was always going to be a battle, says Markus Hartmann, the chief public prosecutor at Cologne public prosecutor's office. After a two-month investigation, Hartmann’s team concluded that there were insufficient grounds to pursue the matter any further. The ransomware was involved in the case but the law means it isn’t possible to blame the hackers with the death.
The ransomware attack was first spotted in the early hours of September 10, but it could have started much earlier. The hospital’s internal networks are so expansive that staff could have been using them for days without noticing an encrypted file. The ransomware had been introduced to the University Hospital Düsseldorf's network through a well-known vulnerability in a Citrix application. The hospital insists that it patched the vulnerability in January, the day of the patch’s release, but it’s possible that the ransomware's loader was installed in December, when news of the vulnerability surfaced.
Local reports have suggested that this attack was misdirected, largely because the ransom note from the hackers on the hospital servers was directed to the affiliated Heinrich Heine University rather than the hospital. The hackers, perhaps in recognition of their mistake, even presented the encryption key to police when they were informed they’d hit the hospital, but this is possibly all part of an “elaborate PR stunt”, Hartmann warns. “From our experience, hackers will do anything for money, and it might be that the public attention of hacking a hospital and the intense investigation was a little bit too much for them.”
Despite the hackers’ efforts to undo the attack, the damage was already done. The decryption process that began in early hours of September 11 was slow, meaning that even by September 20 no data could be fed into or retrieved from hospital IT systems. Not even email communication was functioning. This is due to the sheer volume of data impacted: 30 servers had been corrupted. The infiltration also required hospital officials to conduct a comprehensive security examination to safeguard against future attacks, and some of these networks are still being reinforced.
From a medical perspective, it’s possible that the ransomware attack did indeed contribute to the victim’s death, even if minimally or trivially, but that’s not enough to establish legal causation required to prosecute for negligent manslaughter. The standard of proof in Germany would require prosecutors to show that the attack played a “decisive role” in the death, says Lisa Urban, a doctoral researcher at the University of Luxembourg’s law department.
This is determined using the equivalent of the United Kingdom’s “but for” test, which is to say that but for the hack, the victim wouldn’t have died that morning. The prosecution would also be challenged to legally attribute the death to the attacker. This is “not unthinkable,” Urban says, but in medical cases such as this, where the victim is suffering from a life-threatening illness, it’s not always straightforward to establish legal grounds.
After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victim’s medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. “The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.
All this leaves Hartmann to pursue the hackers through the more traditional charges of blackmail and hacking, although he faces a battle to identify them and even more to charge them, given that many of these outfits are based in Russia, where authorities have historically protected hackers from extradition. Doppelpaymer, the attacker’s choice of ransomware, has links to Russian groups.
But it’s only a matter of time, Hartmann believes, before ransomware does directly cause a death. “Where the patient is suffering from a slightly less severe condition, the attack could certainly be a decisive factor,” he says. “This is because the inability to receive treatment can have severe implications for those who require emergency services.” Success at bringing a charge might set an important precedent for future cases, thereby deepening the toolkit of prosecutors beyond the typical cybercrime statutes.
“The main hurdle will be one of proof,” Urban says. “Legal causation will be there as soon as the prosecution can prove that the person died earlier, even if it’s only a few hours, because of the hack, but this is never easy to prove.” With the Düsseldorf attack, it was not possible to establish that the victim could have survived much longer, but in general it’s “absolutely possible” that hackers could be found guilty of manslaughter, Urban argues.
And where causation is established, Hartmann points out that exposure for criminal prosecution stretches beyond the hackers. Instead, anyone who can be shown to have contributed to the hack may also be prosecuted, he says. In the Düsseldorf case, for example, his team was preparing to consider the culpability of the hospital’s IT staff. Could they have better defended the hospital by monitoring the network more closely, for instance?
What deepens the concern is the growing threat of cyberattacks on hospitals. More than 750 healthcare providers across the United States were targeted by ransomware last year. A string of incidents, worsened in during the pandemic, has brought these attacks into sharp focus.
Interpol issued a warning in April, before federal authorities warned of an “increased and imminent” cybercrime threat to hospitals and healthcare providers after various across North America. And when you’re leveraging lives to extort money, it’s logical that some will be lost, even more so when law enforcement agencies encourage targets to not pay ransoms.
“Because of attacks in the United States, one hospital has had to furlough 300 staff and another has been unable to administer computer controller cancer treatments, so it’s absolutely inevitable that these incidents are going to have an impact on patient care,” says Brett Callow, a threat analyst and ransomware specialist at security firm Emsisoft. “And in cases where hospitals are unable to accept emergency patients, the risks of death increase significantly.”
While the hackers may never be brought to justice, the attack in Düsseldorf serves as a warning of the real-world consequences when criminals target critical systems. “It’s one thing to attack a person’s private computer at home, but something entirely different to attack hospital infrastructure,” Hartmann says. “This is a warning sign to those running critical infrastructure that any failure to protect your infrastructure could result in fatal outcomes. And also to anybody in the hacker scene that you cannot just expect to spread your ransomware without consequences other than financial damage.”
This article was originally published by WIRED UK