BERLIN — The first known death from a cyberattack was reported Thursday after cybercriminals hit a hospital in Düsseldorf, Germany, with so-called ransomware, in which hackers encrypt data and hold it hostage until the victim pays a ransom.
The ransomware invaded 30 servers at University Hospital Düsseldorf last week, crashing systems and forcing the hospital to turn away emergency patients. As a result, German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays.
The attack is the first reported death from a cyberattack. Hospitals have been a frequent target for cybercriminals, particularly ransomware attacks, because the need to access health records and computer systems creates urgency that increases the likelihood that victims will pay their extortionists.
“Hospitals can’t afford downtime, which means they may be more likely to pay — and quickly with minimal negotiation — to restore their services,” Brett Callow, a threat analyst at Emsisoft, the New Zealand security firm, said Friday. “That makes them a prime target.”
The most aggressive reported attacks on health care facilities to date were North Korea’s 2017 “WannaCry” ransomware attack, which froze British hospitals and forced doctors to cancel surgeries and turn patients away, and a Russian “NotPetya” attack one month later, which forced hospitals in rural Virginia and across Pennsylvania to turn away patients whose records they could no longer access.
The WannaCry attacks were eventually mitigated by a hacker who found a way to neutralize the attacks, but much of the data seized in NotPetya was never recovered. No deaths were reported from either attack, but security experts said it was only a matter of time.
“This was absolutely inevitable,” said Mr. Callow. “We are fortunate it hasn’t happened sooner.”
Ransomware has become a scourge in the United States, and hospitals are among the softest targets. In 2019, 764 American health care providers — a record — were hit by ransomware. Emergency patients were turned away from hospitals, medical records were inaccessible and in some cases permanently lost, surgical procedures were canceled, tests postponed and 911 services interrupted.
But little has been done to deter the attacks and the responses of targeted institutions are often shrouded in secrecy. Despite F.B.I. advisories warning victims not to pay their extortionists, cyber insurers have advised victims to pay ransoms, calculating that the payments are still cheaper than the cost to clean up and recover data.
The attacks cost organizations more than $7.5 billion in 2019, according to Emsisoft, a cybersecurity firm that tracks ransomware attacks. An increasing number of victims are choosing to pay, as many as three of four, according to one recent survey of 500 senior executives conducted by Infrascale, a security company.
The payouts have emboldened cybercriminals, who have been upping their ransom demands by millions of dollars in recent years. Last year, cybercriminals demanded $14 million worth of bitcoin in a ransomware attack that affected 110 nursing homes across the United States.
While there was a slight dip in attacks in the first six months of 2020, amid the pandemic, the onslaught has resumed pace. Just last week, the University Hospital in New Jersey was hit with ransomware, and subsequently saw patient medical records published on the internet.
Other major American health centers hit with ransomware this year were Boston’s Children’s Hospital, which saw more than 500 affiliate pediatric offices hit last February and, in June, Arkansas Children’s Hospital in Little Rock, among the largest children’s hospitals in the United States.
According to Emsisoft, nearly 10 percent of ransomware victims now see their data leaked online, a jarring development for hospitals, who are legally responsible for protecting medical data.
It is not clear whether cybercriminals intended to take University Hospital Düsseldorf’s systems hostage, or if the hospital was collateral damage in an attack on a university. The ransom note was addressed to Heinrich Heine University, which is affiliated with the hospital, not to the hospital itself.
Police in Düsseldorf contacted attackers via the ransom note to explain that the hospital, not the university, had been impacted, putting patients’ health at risk. Attackers stopped the attack and turned over the encryption key to unlock the data — a development that also appears to be the first of its kind — before dropping correspondence.
German prosecutors are now investigating possible manslaughter charges against the cybercriminals. But it is highly unlikely arrests will be made. The vast majority of ransomware outfits are based in Russia, where authorities have protected hackers from extradition.
To date, Russian hackers have only been arrested while traveling abroad. In 2016, a Russian cybercriminal was arrested while vacationing in Prague on charges he hacked LinkedIn, the social network, and other American companies.
And in 2014, American Secret Service agents coordinated with authorities in the Maldives to extradite a Russian cybercriminal to Guam. The hacker was later found guilty on 38 counts of hacking U.S. retailers and sentenced to 27 years in prison. Russian officials called the extradition a “kidnapping.”
Germany’s Federal Agency for Security in Information Technology said Thursday that the attackers breached the hospital using a hole in Citrix software that was patched last January. Because the hospital failed to update its software, cybercriminals were able to use the flaw to break in and encrypt data.
On Friday, cybersecurity experts said they hoped the death from the ransomware attack would be a wake-up call to regulators and IT administrators that more needs to be done to prevent and deter the attacks.