A lawsuit has been filed on behalf of a mother of a baby who is alleged to have died as a consequence of a hospital ransomware attack. This is the first time that a ransomware attack is alleged to have resulted in the death of a patient.
Teiranni Kidd was admitted at Springhill Medical Center in Mobile Alabama on July 16, 2019 during labor to have her child delivered. Kidd gave birth to her daughter Nicko on July 17, but there were complications with the birth. The umbilical cord had tied around the baby’s neck and there were other complications that resulted in severe brain damage. The baby was transferred to the neonatal intensive care unit where she spent several months but tragically died.
A medical malpractice lawsuit, which claims wrongful death, was filed in January 2020 and was amended with additional claims in April 2020. The lawsuit claims Kidd was admitted shortly after the hospital had suffered a ransomware attack. The attack encrypted files and forced the shutdown of many of its IT systems, which remained offline for 8 days. During that time the hospital was operating under emergency protocols as access to certain systems was not possible.
The hospital had issued a statement shortly after the attack confirming care continued to be provided to patients while the attack was mitigated. A spokesperson for Springhill Medical Center said, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”
According to the lawsuit, Kidd was not aware of the ransomware attack or its impact on hospital IT systems. Had that information been made known to Kidd she would have chosen to have her baby at a different healthcare facility. The lawsuit alleges the complications with the birth should have been identified by the hospital staff, which would have seen Kidd undergo an emergency caesarian. That procedure could have prevented her baby’s injuries and saved Nicko’s life.
Information about the distress of her baby should have been available at the nurses’ station, but the only information was present at Kidd’s bedside, which meant hospital staff that were not in the labor and delivery room could not access that information. “As a result, the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated,” stated the lawsuit.
The lawsuit alleges Kidd’s baby suffered “personal injuries and general damages, including permanent injury from which she died,” as a proximate consequence of the failure to disclose the attack and system outage.
“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information.”
The lawsuit has been scheduled for a jury trial in November 2022. Springhill Memorial Hospital has denied any wrongdoing.