German prosecutors open negligent homicide investigation into ransomware attack on Düsseldorf hospital after death of woman needing critical care
German police have opened a homicide investigation into a hacking incident that shut down the computer systems of a Düsseldorf hospital after a woman died.
Malware installed by hackers began affecting the systems of Düsseldorf University Hospital (UKD) in the early hours of 10 September, making the facility’s IT systems largely unusable, UKD said in an advisory.
The hospital was no longer able to provide emergency care, and scheduled operations were also postponed.
As a result, a woman who needed urgent admission died after she was taken to Wuppertal for treatment, a distance of 19 miles away.
Industry watchers said the case may be the first known incident of a death occurring as a result of hacking.
Cologne prosecutors officially launched a negligent homicide case on Friday, saying they would look into whether the hackers were responsible.
It is likely the hospital will also be investigated.
The hospital was targeted via a Citrix vulnerability first disclosed in December, according to the German Federal Office for Information Security (BSI), which is involved in restoring the hospital’s IT systems.
The vulnerability, CVE-2019-19781, affected a VPN server used by the hospital and had been patched after Citrix released a fix in January.
But in many cases, hackers had already compromised servers using the vulnerability and installed backdoors that they could exploit later on, and this appears to have been the case in the UKD hack, the BSI said.
The hackers then installed ransomware that encrypted the hospital systems’ data, and demanded payment to restore the data.
Ransomware hacking groups known to be exploiting the Citrix vulnerability include DoppelPaymer, Maze, Ragnarok and REvil (Sodinokibi).
The hospital hack appears to have been intended for another target, German authorities said last week.
They said an extortion note left on the hospital’s servers was aimed at an affiliated university, and not the hospital.
When police told the hackers the hospital had been affected, they provided a decryption key, before disappearing, authorities said.
The hospital said it had had some limited success in restoring its IT systems as of last Tuesday, but that “serious errors” remained.
“Although the extent of the system errors has now been analysed, external specialist companies and the police are still working on investigating the cause,” UKD said at the time.