- Woman died en route to another hospital after being turned away from first one
- Dusseldorf’s University Clinic couldn’t admit her because its systems were down
- The cause was a Sept. 10 cyberattack that the hospital is yet to recover from
- If an investigation, launched Friday, leads to prosecution, this would be first confirmed case of someone dying as a consequence of a cyberattack
A woman in Germany has become the first healthcare cyberattack death after a hospital was unable to admit her because its systems had been the target of an attack.
German prosecutors opened a homicide investigation on Friday into the incident which happened in the western city of Dusseldorf in September.
The female patient, suffering from a life-threatening illness, had to be turned away on the night of September 11 by the city’s University Clinic and died after the ambulance carrying her was diverted to Wuppertal, 30 kilometres (20 miles) away.
Prosecutor Christoph Hebbecker, head of the cybercrime unit in Cologne, said he had opened an investigation into negligent homicide against unknown persons, the Kolner-Stadtanzeiger daily reported.
If the investigation leads to a prosecution, it would be the first confirmed case in which a person has died as the direct consequence of a cyberattack.
The University Clinic in Dusseldorf, capital of Germany’s most populous state of North Rhine-Westphalia, was hit by a ransomware attack on September 10 that penetrated its systems via a flaw in a Citrix VPN system.
The hospital’s IT operations remain affected and it is still unable to admit patients brought in by ambulance, it said on Friday.
Germany’s cyber-security agency, the Federal Office for Information Security, was called in to shore up the hospital’s systems.
Its chief, Arne Schoenbohm, said the Citrix flaw had been known about since December 2019 and called on healthcare facilities not to delay IT security upgrades.
The chief of Germany’s cyber-security agency has urged healthcare facilities not to delay or ignore IT security updates following the death of a woman who couldn’t be admitted to hospital because of a cyberattack
‘I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,’ Schoenbohm said in a statement.
‘This incident shows once again how seriously this danger must be taken.’
Ciaran Martin, who stepped down as the head of Britain’s National Cyber Security Centre this month, said the incident could be prove to be first death caused by a cyberattack.
‘If confirmed, this tragedy would be the first case I know of, anywhere in the world, where the death of a human life can be linked in any way to a cyberattack,’ he told an event in London.