Ransomware, Governance, Risk and Compliance, Incident Response

Lawsuits allege death, morbidity from cyberattacks: Is this the next phase of medical malpractice?

Share
A patient lies on a stretcher in a hallway near other patients in the overloaded Emergency Room at a medical center in Southern California. Cyberattacks against health care organizations are taking a toll on resources, particularly among non profits.  (Photo by Mario Tama/Getty Images)

Last week, a headline caught mainstream media’s attention: a lawsuit claimed a ransomware attack led to the death of her newborn. A lawsuit filed in the same timeframe alleged a patient’s care was diminished due to network outages at a hospital’s vendor.

These lawsuits are certainly alarming at face value; but how will they play out in court? And what’s more, is this the next phase of medical malpractice suits?

“Yes, very much so,” said Saif Abed, MD, founding partner and director of cybersecurity advisory services for the AbedGraham Group. 

“As the impact of ransomware in health care receives greater coverage and the volume of patients exposed to the outcomes of this type of attack increases we are going to see an increase in both legitimate and opportunistic malpractice suits based on ‘digital failure’,” he added. 

Going forward, it will be critical for justice systems, including prosecutors and defense attorneys, to have access to relevant expertise “to understand the context of their cases appropriately.”

Springfield Memorial Hospital

Filed initially in January 2020, an amended lawsuit filed by Teiranni Kidd against Springhill Memorial Hospital in Alabama stems from a ransomware-related incident that struck on July 16, 2019. The entire network was driven offline, forcing all clinicians to revert to pen and paper processes as part of previously established electronic health record downtime procedures.

Kidd was admitted to the hospital on the same day and her pregnancy induced, but not informed that the hospital was recovering from a cyberattack. The lawsuit also explains Kidd did not see the effect of the cyberattack on hospital operations or quality of patient care, nor did clinicians inform her.

“Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses’ station or by any physician or other healthcare provider who was not physically present in Teiranni’s labor and delivery room,” the lawsuit asserts.

“As a result, the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated,” it adds. “No fetal scalp monitor was used to monitor [the infant]'s heart rate at any point during [Kidd]'s labor or delivery.”

The infant was delivered with a number of complications and sent to a nearby hospital, where they spent several months in the neonatal intensive care unit, requiring oxygen and other critical care procedures. The infant died several months later.

The lawsuit alleges the infant’s death was a direct result of the outages experienced by Springhill Memorial Hospital. The hospital is also accused of breach of contract, wantonness, and negligence, with a laundry list of care failures throughout Kidd’s birthing experience.

Further, the lawsuit argues the hospital failed to disclose the severity of the attack, issues with communication, the lack of preparation, and personnel concerns with the attack. At the time of the attack, local news outlets shared an account from an anonymous source who admitted frustrations with the downtime operations and claimed the attack could be life- threatening.

The lawsuit outlines the worst-case scenario for any patient requiring care from a provider in an emergency and certainly the claims cannot be taken lightly. But it will take time for the evidence to come to light to determine whether it was ransomware or another cause behind the infant’s death.

Elekta lawsuit

On Sept. 28, a patient of Northwestern Memorial HealthCare sued cancer software vendor Elekta over a ransomware attack that struck in April 2021. At the time of the attack, 40 health systems reported experiencing network issues directly tied to the vendor incident.

Hackers launched the attack against Elekta’s cloud-based storage system, which forced those providers offline and resulted in the cancelation of some radiation treatment appointments. Elekta informed the public at the time that the attack only targeted a subset of U.S. cloud customers. 

For Northwestern, the entire database for oncology patients was compromised, impacting 201,197 patients. The data was accessed and potentially stolen during the attack. The impacted system remained offline for a number of months while Elekta worked to restore the network.

The latest lawsuit is not the first filed against Elekta over the incident. In July, patients affected by the ransomware-related outage sued the vendor over a number of patient safety concerns. The victims are seeking to address any inadequacies in Elekta’s security policies, given its role in cancer treatments across the country.

The future of health care lawsuits?

These lawsuits join dozens of others, brought after data breaches, phishing attacks, and ransomware-related data leaks. For some, the cases will likely be settled and dismissed, particularly those that fail to demonstrate harm: the Supreme Court established that only individuals “concretely harmed” during a breach have standing to seek damages in a June decision.

But what about the cases that directly tie ransomware and cyber incidents to care disruptions and other direct impacts?

“Deaths are still fortunately very rare as a consequence of cyberattacks,” said Abed. ”However morbidity is going to increase: This means people will experience suboptimal clinical outcomes due to delayed or inappropriate clinical management due to clinical workflow disruption.” 

“I believe this will emerge as the most common area of medical malpractice,” he added.

For Mintz Of Counsel Kate Stewart, the level of private party litigation after outages, ransomware, and data breaches will continue to rise, likely driven “by how successful plaintiffs are in these recent cases.” Class-action suits alleging harm to private interests of patients and consumers will also continue to dominate over single plaintiff suits.

The attacks and subsequent lawsuits can severely impact entities’ reputations, and sometimes the “front page” risk can be as great as the actual legal risks to an organization, she explained. And lawsuits that allege patient harm can do the most damage to a reputation after an incident.

Across the health sector, organizations are becoming increasingly concerned about the possibility of facing a private lawsuit, in addition to historic concerns like Department of Health and Human Services investigations, reputational harms, and regulatory investigations and penalties.

Abed added that “many vendors of clinical applications, network infrastructure and even managed service providers are now looking more closely at their liability and how malpractice could expand to target the technology supplier and not just the healthcare delivery organization.”

Providers need to consider the potential of these lawsuits as part of their policies and procedures. The Health Insurance Portability and Accountability Act includes the required security measures to be compliant, but “it’s also a floor and not a ceiling,” said Stewart.

As a result, providers, particularly large-sized organizations, won’t be able to claim HIPAA compliance and preparedness as a defense against these types of lawsuits, she added. “HIPAA was intentionally drafted to be flexible and scalable for covered entities of all types and sizes.” 

By reviewing these cases, providers can review how other covered entities have handled some risk areas, explained Stewart. For example, as ransomware attacks continue to proliferate, “how did the covered entity react to protect itself before an attack?” 

“How fulsome was the security risk analysis and subsequent remediation of issues performed by the covered entity? What sort of workforce training was the entity conducting prior to an attack? We know that many of these attacks result from phishing schemes,” said Stewart.

“How were employees (at all levels and in all job roles) trained to detect and avoid phishing?  All of these measures can help a covered entity avoid being the victim of a breach or attack,” she added.

But these measures can also help an entity defend against claims of negligence around systems security and potential data exposures. HHS also has a security risk assessment tool, free for all providers to use and examine security risks within the entire enterprise.

To Abed, it’s important that advisory, consultancy, and law firms make it clear that all risk reduction efforts should aim to reduce patient safety risks at scale, far beyond existing regulations or other compliance requirements.

“Stating HIPAA compliance or that you follow NIST best practice is important but not necessarily sufficient,” said Abed. “We advise a clinical risk analysis is the first measure that has to be undertaken in order to develop a plausible future defense.

“Whether you represent a technology company or a healthcare provider I recommend considering implementing a Clinical Risk Analysis and Management Program (CRAMP),” he added. “Measure, monitor and report on clinical risk in relation to the technology you are selling/procuring across its entire life cycle. That will build the most robust documentation for any future defense.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.