The case of the alleged ransomware-related death in Alabama

I described in a separate article how cyberattacks on hospital systems are becoming more frequent and why they pose an enormous safety threat to hospitalized patients. The Ponemon Institute surveyed 600 hospital IT security officials. 43% of them stated that they had to deal with ransomware attacks at least once, and in 22% of instances, the attacks negatively impacted mortality rates in their institutions (source link).

In this article, I want to present the case of the first alleged ransomware-related death. The information here comes from the NBC article and court filing from the Mobile County in Alabama circuit court submitted on 6/4/2020. 

The plaintiff in this case is Mrs. Teiranni Kidd, who delivered her baby in Springhill Hospital on 7/17/2019. The baby had brain injury due to complications of labor not detected early enough, presumably due to malfunctioning or unavailable computer and monitoring networking systems. Subsequently, the baby died several months later. 

On the 9th of July 2019, Springhill Hospital’s IT systems were attacked by ransomware. At the time, the healthcare facility called it a “network event.” Many days later, on 7/16/2019, the hospital informed the public that they were addressing security issues, shut down the networks, and continued safely care for the patients. 

Furthermore, on 7/23/2019, the Springhill Medical Center released the following statement: 

“We would like to assure patients and the community that patient safety is always our top priority, and we would never allow our staff to operate in an unsafe environment (link to court filing).

Nothing was further from the truth as we learn from the facts presented by the plaintiff. Let’s look at information provided by lawyers for the plaintiff. 

• On 7/16/2019, Mrs. Kidd was admitted to the hospital to give birth to her daughter.
• She was never told about IT systems being down and their effects on the quality of care.
• On 7/16/2019, the mother had category one fetal heart tracing on the monitor.
• On 7/17/2019 at 8:30 AM, she started receiving a medication called Pitocin. Although the filing does not mention an indication for that, we usually use it to augment or speed the process of labor. However, using Pitocin may also be associated with overstimulation of the uterus, resulting in too many, too intense, or prolonged contractions, decreasing the blood flow from the placenta to the fetus. If that complication occurs, nurses or doctors can spot it on the monitor, displaying the baby’s heart rate, number, and uterus contractions’ strength. 
• On 7/17/2019 at 8:40 AM, an artificial rupture of amniotic membranes was performed.
• On 7/17/2019 at 9:30 AM, the fetal heart rate strip was showing decelerations (slowing of the heart rate in a baby)
• On 7/172019 at 10:29 AM, the fetal heart rate strip started showing fetal tachycardia (higher heart rate rhythm) and minimal variability. Low variability could have been a sign that the baby was in trouble already. Later, the obstetrician for the mother stated that had she known about the baby’s heart rate strip, she would have performed a cesarean section delivery. 
• Importantly, due to technical issues, there were significant gaps when the baby was not monitored at all, presumably due to technical problems with electrode placement.
• On 7/17/2019 at 11:25 AM, the baby was born with only a faint heart rate. The first minute Apgar score was one; however, later, the baby needed a prolonged resuscitation and had no detectable heart rate between 5 and 20 minutes of life. 
• At birth, it was noted that the baby had a nuchal cord (the umbilical cord wrapped around the baby’s neck) and terminal meconium (the baby started stooling in utero). Again, most of the time, if the baby is in trouble due to these two findings, we can spot warning signs on the baby’s heart rate monitor.
• Also important for this case is that a neonatologist was present at the time of birth and arrived at the bedside only 8 minutes later. 
• The lawsuit does not focus on describing postnatal care provided to the baby. However, we know some diagnoses for which the baby was treated: hypoxic-ischemic encephalopathy, acute renal injury, hyaline membrane disease, seizures, anemia, and pneumothorax. 
• After birth, the baby was transferred to a children’s hospital for further care.
• The baby died before one year of age. 

The lawyers listed many reasons for the lawsuit, and below are a few of them: 

• fraudulent non-disclosure
• negligence on the part of the hospital and doctors
• wrongful death
• breach of implied contract

The most important for me in this lawsuit is evidence of the lack of maturity, cavalier behavior of hospital administrators, and dishonesty in not telling patients about the cyberattack’s significant impairment of hospital operations. 

Lawyers for the plaintiff described those behaviors best: 

“At the time, Teiranni was not told of the following material facts……
That the hospital’s computer and network systems had been crippled by a cyberattack for days;
That the hospital’s computer and network systems used for patient care and safety had been rendered ineffective and inoperable;
That the cyberattack on the hospital’s computer and network systems implicated and placed at risk patient safety
Had the above disclosures been made, plaintiff Teiranni Kidd would have gone to a different and safe hospital for labor and delivery. “

What did we learn from this case?

Medical providers and administrators must learn from this case. Do not minimize the threat to patient safety posed by IT system disruptions. Be honest with your patients about problems your practice or institution faces that influence how you practice medicine. 

There may be better approaches for your patient than trying to be a hero. It is best to let your patient decide whether to stay or be transferred to another institution.

Administrators owe honesty to the hospital staff and patients. Administrators’ responsibility is to develop policies, procedures, and training on operating during cyberattacks and what and when to disclose to the public and their patients on admission.