A Patient Dies After a Ransomware Attack Hits a Hospital

By Dan Goodin, Ars Technica

A woman seeking emergency treatment for a life-threatening condition died after a ransomware attack crippled a nearby hospital in Düsseldorf, Germany, and forced her to obtain services from a more distant facility, it was widely reported on Thursday.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.

German authorities are investigating the unknown perpetrators on suspicion of negligent manslaughter, the Associated Press, German news outlet NTV, and others reported. The event under investigation occurred last Friday when the unidentified woman was turned away from Düsseldorf University Hospital because a ransomware attack hampered its ability to operate normally. The woman was rushed to a hospital about 20 miles away, resulting in about a one-hour delay in treatment. She died.

So far, little is known publicly about the ransomware strain or the attackers involved in the infection, which began last Thursday, about 24 hours before the death occurred. A report from the North Rhine–Westphalia state justice minister said that the attack encrypted about 30 hospital servers and left a message instructing the Heinrich Heine University, to which the Düsseldorf hospital is affiliated, to contact the attackers.

Düsseldorf police eventually communicated with the attackers and told them that the attack had hit a hospital treating emergency patients, not the university. The attackers reportedly withdrew the extortion demand and provided a decryption key to unlock the servers. The justice minister report said that the attackers are no longer reachable.

Hospital officials said on Twitter that the infection occurred after attackers exploited a vulnerability in a “widely used commercial add-on software,” which the tweet didn’t identify. As noted by ZD Net, the officials also said they had notified German authorities of the attack. Hours earlier, the German agency responsible for issuing cybersecurity warnings, the BSI, tweeted a link to this advisory from January. The advisory warned that attackers were actively exploiting CVE-2019-19781, a critical vulnerability in the Citrix application delivery controller, which customers use to perform load balancing of inbound application traffic.

Citrix didn’t immediately respond to an email asking if the vulnerability was the initial entryway into the Düsseldorf hospital. CVE-2019-19781 was in the news on Wednesday when federal prosecutors said it was one of several vulnerabilities allegedly used by hackers backed by the Chinese government to breach game and software makers.

Last week’s infection isn’t the first time hospitals have been paralyzed by ransomware. Last year, 10 hospitals—three in Alabama and seven in Australia—were hit by attacks that also hampered their ability to accept new patients. A few days later, the three Alabama hospitals reportedly paid the ransom so they could obtain the decryption key needed to restore their systems.

This story originally appeared on Ars Technica.

More Great WIRED Stories