Fraud Management & Cybercrime , Healthcare , Industry Specific
Hospital Allegedly Skirting Ransomware Death Suit Settlement
Attorneys Say Hospital Is Reneging on Paying Up in Case Involving Baby's DeathSix weeks after an Alabama hospital settled the first-ever death claim related to a ransomware attack, attorneys representing the mother of the baby who died - allegedly from birth complications related to the 2019 incident - say the hospital hasn't paid up and are asking the court to intervene.
See Also: Netskope FERPA Mapping Guide
The lawsuit filed by plaintiff Teiranni Kidd against Springhill Memorial Hospital in 2019 and amended in June 2020 alleges that Kidd's daughter, Nicko Silar, suffered birth complications and subsequently died because - due to the ransomware attack - hospital clinicians did not have timely access to the baby's fetal monitoring results, which showed that the child was in distress during Kidd's labor.
The case is believed to be the first lawsuit and settlement in the U.S. involving a death allegedly linked to a ransomware attack on a hospital (see: Lawsuit: Hospital's Ransomware Attack Led to Baby's Death).
A motion filed by Kidd's attorney on May 16 in the Mobile County Circuit Court in Alabama alleges that attorneys reached a settlement with Springhill on April 15, which was affirmed by attorneys representing both sides, but that since then, the hospital has reneged on the agreement and is demanding new terms.
"To date, SMH refuses to fund the settlement. Instead, it is holding the payment hostage to a new demand for additional material terms for which it never bargained," the motion says.
The settlement's financial and other terms - including the new demands by the hospital - are redacted from court documents.
The motion filed by Kidd's attorneys alleges that Springhill appears to have "only two possible motivations" for new settlement terms.
Those reasons are "to subject plaintiff and her counsel to the risk of [redacted text] from meritless allegations of breach of confidentiality for disclosure of details about this litigation that have already been made public; or to extricate Springhill from a binding settlement about which it has apparently had second thoughts," the motion says.
"Either way, SMH's conduct is detrimental to the settlement process, disrespectful of plaintiff's need to finalize her recovery, and antithetical to the just and timely resolution of this case," the motion alleges.
Because a settlement was reached on April 15, the case did not go to trial on April 29 as scheduled more than 16 months ago, the plaintiff motion alleges.
Neither attorneys representing Kidd, nor attorneys representing Springhill immediately responded to Information Security Media Group's requests for comment.
Case Details
Kidd's lawsuit alleges that she was unaware that the hospital was in the midst of a ransomware attack when she was admitted on July 16, 2019. Kidd's baby was born at the hospital on July 17 with her umbilical cord tied around her neck, suffering severe brain damage and other complications, which were allegedly the cause of her death several months later.
Fetal monitoring and other information, which was unavailable to clinicians during Kidd's labor due to the cyberattack, should have prompted an emergency Caesarean section to deliver the baby safely, the lawsuit alleges. That procedure was not performed.
In the U.S., the case is a first, said attorney Rachel Rose, who is not involved in the Springhill litigation. "While there may be others, there may not have been a lawsuit filed because of the causation prong of a negligence case," she said.
Outside the U.S., initial reports linked a September 2020 ransomware attack that affected University Hospital Düsseldorf with the death of a German patient whose emergency care was allegedly disrupted, but the disruption was later determined not to be directly related to the incident.
Rose said the motion filed by the plaintiff gives the impression that both sides entered into a binding agreement. "Courts always look to the four corners of a document when enforcing an agreement. If something was left out, then they should have raised it sooner. We don't know all of the facts so we can't speculate," she said.
Rose suspects that Springhill might have demanded that certain language be added to the settlement terms for a couple of possible reasons - the hospital's insurance policies and liability from other patients who may file a class action.
Emerging Issues
What is significant about the Springhill case "is that healthcare providers are still largely - and blissfully - unaware that cybersecurity incidents can and will impact the provision of healthcare services, and that cybersecurity failure related allegations will be easier to litigate than medical malpractice," said attorney Steven Teppler, a partner and chief cybersecurity legal officer of the law firm Mandelbaum Barrett PC.
"Discovery requests to defendant healthcare providers in these actions will be nearly identical to those in data breach class actions, which are now well established and intrusively comprehensive," said Teppler, who is not involved in the Springhill litigation.
Teppler said he suspects that from the time the settlement was allegedly reached on April 15, Springhill has decided "that there are some facts about the case that the medical center would prefer not disclosed. The redactions make it difficult to ascertain," he said.
Meanwhile, patient safety concerns involving hospital ransomware attacks are a growing worry in the healthcare sector.
Just this week, a labor union representing nurses and other medical professionals who work at Ascension Providence Rochester Hospital in Michigan has signed a petition demanding that Ascension take actions to protect patient safety in the wake of a May 8 cyberattack.
That incident took out electronic health records and other IT systems, forcing clinicians to use time-intensive manual processes and paper charts (see: Union Demand Patient Safety Fixes in Ascension Cyber Outage).
The union is demanding Ascension implement a number of patient safety protocols while it is recovering from the attack, including reducing the number of patients-to-nurse ratio as clinicians are forced to spend more time manually obtaining and documenting crucial patient information.
Also, new research published on Wednesday in the Journal of the American Medical Association that analyzes disruptive ransomware attacks against hospitals in California from 2014 to 2020 found a temporary decrease in emergency department visits and inpatient admissions in hospitals targeted by attacks - and a corresponding temporary increase in emergency department visits to nearby hospitals that were not attacked.
The findings suggest that the consequences of ransomware attacks are broader than the targeted hospital and also affect healthcare providers in the nearby regions.