“Ransomware Killed My Baby”: Lawsuit Raises Issue Of CyberSecurity-Breach Disclosure Liability
A hospital suffering through a ransomware attack failed to provide proper care for an expectant mother and her newborn child, leading to the child’s death, according to a lawsuit filed in the US State of Alabama.
Springhill Medical Center, a hospital in based in Mobile, Alabama, was hit with ransomware during the summer of 2019; the cyberattack crippled the medical facility’s information systems, causing multiple computer systems and networks to be unusable for over a week – the same period of time during which Teiranni Kidd entered the facility in order to give birth to a daughter, Niko. During the ransomware-inflicted technology outages, Teiranni claims, the number of medical professionals who would normally “monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated” at least in part because the hospital allegedly adopted on an emergency basis an outdated “pen and paper” system for managing patient care. According to the lawsuit, the computer system outages dramatically reduced the level of care provided to both mother and child, contributing to the newborn Niko suffering brain damage that ultimately led to her death less than a year later.
According to the plaintiff, the hospital was negligent (as was the delivering physician) in addressing a dangerous situation. The hospital, Teiranni claims, failed to inform her of the ransomware attack – or of the seriously adverse impact that the attack had on the hospital’s computer systems; the lawsuit claims that had Teiranni been aware of the extent of the ongoing IT problems, she would have gone elsewhere to deliver her child. The hospital, however, argues that it had no legal responsibility to provide Teiranni with any details vis-à-vis either the cyberattack or any resulting technical difficulties, and that the facility continued to provide high quality medical services throughout the period of time during which it endured ransomware-inflicted system outages.
According to the Wall Street Journal, text messages between the hospital’s chief OB-GYN physician and the nurse manager on the delivery floor at the time of Teiranni’s labor and delivery appear to indicate that the former was not notified of Teiranni’s condition prior to Niko’s delivery, and that had she been notified, she would have recommended delivering Niko by Caesarean Section rather than a natural delivery.
While the Springhill Medical Center incident is by no means the first case in which ransomware is claimed to have contributed to a human death (although in at least one such case it appears likely that the patient might have died even without the impact of the ransomware), it may be the first case to head into a US courtroom. And it potentially raises to the forefront multiple important issues – such as the ethical and legal question of whether parties suffering through cyberattacks should be responsible to disclose their situation to potential clients, as well as to inform potential clients of possible impacts to services. Likewise, what responsibility should apply if a hacked party sincerely and reasonably believes that the relevant attack will not significantly degrade its performance — and, furthermore, what exactly is considered “sincerely and reasonably”? Additionally, should situations in which system failures could reasonably endanger human life and health – such as in a hospital setting – be treated differently than other types of breaches?
Whatever happens in the Springhill case, there is little doubt that courts around the world – and even across the United States – will shed much more light on such matters in the near future, and that conflicting judicial opinions will likely lead to the crafting of long overdue legislation.