Lawsuit Links Baby Death to AL Healthcare Ransomware Attack

A baby born at Springhill Medical Center in Alabama later died due to diminished care that resulted from a 2019 healthcare ransomware attack, a lawsuit alleged. The case marks the first public claim that a patient death was directly tied to a ransomware attack.

Teiranni Kidd, the baby’s mother, filed the lawsuit on behalf of her daughter, The Wall Street Journal first reported. According to the lawsuit, Kidd was not aware that Springhill Medical Center was in the middle of a ransomware attack when she arrived at the hospital to deliver her daughter.

The lawsuit alleged that doctors and nurses failed to conduct multiple tests that would have revealed that the umbilical cord was wrapped around her daughter’s neck due to the distraction of the ongoing ransomware attack. The baby was born with severe brain damage and passed away nine months later.

On July 16, 2019, Springhill released a statement regarding the attack and stated that the incident had no impact on patient care

“We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment,” the statement explained.

However, the medical center’s computers were disabled for nearly eight days, and patient health records were inaccessible. A wireless tracker that could locate medical staff was out of order. Because so many electronic systems were down, fetal tracing information was completely inaccessible, the lawsuit alleged.

“As a result, the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated,” the lawsuit continued.

Following the birth, practitioners discovered that Kidd’s infant suffered profound brain damage. The infant was later sent to a children’s hospital and spent months in a neonatal intensive care unit before passing away.

The medical center failed to tell Kidd about the cyberattack and network outages. If she had known, Kidd would have gone to a different hospital for labor and delivery, the lawsuit stated.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” the lawsuit continued.

While this is the first known instance of a credible claim linking a patient death to a healthcare ransomware attack, recent research from the Ponemon Institute revealed that healthcare organizations and employees have acknowledged the significant patient safety risks associated with ransomware.

One in four healthcare industry survey respondents reported increased patient mortality rates in the aftermath of a healthcare ransomware attack. EHR downtime, emergency department diversions, and appointment cancellations are common in the wake of a cyberattack, but organizations now must come to terms with the fact that cyber threats can mean life or death in some instances.