Prosecutors in Germany have launched a homicide investigation after a patient died when a hospital in Düsseldorf came under cyber attack.
The incident, which took place last week, is thought to be the first time a ransomware attack has resulted in a death.
The woman, who has not been named, was suffering from a life-threatening illness and was on her way to the Düsseldorf University Hospital for emergency treatment on September 10.
But the ambulance she was travelling in had to be diverted when the hospital’s IT system was paralysed by hackers.
It was sent to a hospital in the neighbouring city of Wuppertal, some 20 miles away. The delay proved fatal for the woman, who died shortly after being admitted.
“If confirmed, this tragedy would be the first case I know of, anywhere in the world, where the death of a human life can be linked in any way to a cyber attack,” said Ciaran Martin, who stepped down as the head of Britain’s National Cyber Security Centre earlier this month.
The hackers behind the attack have yet to be identified but German prosecutors vowed to leave no stone unturned as they opened an investigation against them for negligent homicide.
Düsseldorf University Hospital is one of the largest and most prestigious medical centres in Germany, treating more than 50,000 inpatients a year.
But the hospital was paralysed last week when its IT system came under cyber attack. Hundreds of scheduled operations and other treatments had to be cancelled, and patients were diverted to other hospitals.
A blackmail letter was found on one of the hospital’s servers telling administrators how to contact the hackers to get the system restored. It did not specify a ransom figure.
The letter was addressed to Düsseldorf University and authorities believe the hospital may have been targetted by mistake.
When police contacted the hackers using the method described in the letter and told them the attack had hit the hospital, the hackers immediately sent the decryption key without payment. But it was too late for the woman whose ambulance had been diverted to Wuppertal.
“The journey here took about half an hour longer than it would have to Düsseldorf. Unfortunately, the patient died immediately after being admitted to the hospital here in Wuppertal,” Wolf-Tilman Baumert, a spokesman for prosecutors in Wuppertal said.
Although the IT system has been restored, it is still affected by glitches caused by the attack, and the hospital remains unable to accept patients brought by ambulance more than a week later.
Large IT systems are being targetted in increasingly sophisticated attacks by hackers who demand ransoms in untraceable virtual currencies such as Bitcoin to release them.
In this case, the hackers are believed to have gained access to the hospital’s computers via a flaw in a Citrix virtual private network (VPN).
Arne Schoenbohm, the head of Germany’s cyber-security agency, the Federal Office for Information Security, said the flaw had been known about since December last year and warned hospitals not to delay cyber security upgrades.
“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” he said. “This incident shows once again how seriously this danger must be taken.”
The case has been transferred to a specialist cybercrime unit in Cologne. If convicted of negligent homicide, those responsible could face up to five years in prison.