EXECUTIVE SUMMARY

A hospital is facing a malpractice lawsuit after a ransomware attack disrupted service and data availability. The patient’s death could be the first clearly caused by a cyberattack.

  • Cyber insurance might not cover such litigation.
  • More lawsuits could be filed alleging patient harm from a cyberattack.
  • Hospitals and health systems must use a security infrastructure that minimizes patient risk from an attack.

An Alabama hospital is facing a medical malpractice lawsuit in which parents claim their newborn child died because of a ransomware attack that shut down the facility’s computer systems for eight days. If the allegations are proven, the case could mark the first death directly attributable to a ransomware attack. The case also could signal an increased risk of malpractice claims following a cyberattack.

The ransomware attack occurred in 2019. According to the lawsuit, the attack left personnel with little or no access to health records, lab results, or fetal heart rate monitoring. The lawsuit claims “the only fetal tracing that was available to healthcare providers during [the mother’s] admission was the paper record at her bedside. Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses’ station or by any physician or other healthcare provider who was not physically present in [the mother’s] labor and delivery room. As a result, the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced, and important safety-critical layers of redundancy were eliminated.”

The baby was delivered with the umbilical cord around her neck, leading to severe brain damage and death nine months later. The ransomware attack had not been publicly reported, and plaintiffs allege the hospital did not adequately communicate to healthcare personnel, patients, or the general public the safety risks posed by the ransomware attack.

Response Is Key

The liability for the child’s death likely will come down to determining the proximate cause, says Jason Rosenthal, JD, principal with Much Shelist in Chicago. The case will turn on the hospital’s actions in not preventing the attack and how it responded during and after the attack.

“One of the lessons from this is you need to be prepared — not just in terms of preventing attacks, but, almost equally important, what you do in response to an attack. I think the liability here will turn on what the hospital knew, when they knew it, and what they did or did not disclose,” Rosenthal says. “The question will be what was disclosed and whether the family might have gone to another hospital had they been provided with this information.”

Hospitals and health systems should expect to be attacked, he says. Thorough and current cybersecurity protection measures remain the backbone of any defense. Rosenthal endorses the practice of periodically challenging employees with tests, such as sending an email with an unknown (harmless) attachment to see if they will open it, disregarding instructions not to do so. Employees who do click on what should be seen as a suspicious attachment should be required to undergo additional training.

Nonetheless, risk managers and other health leaders should expect their employees to make mistakes even when stringent security measures are in place, Rosenthal says. No protections are foolproof as long as human employees are involved.

“The attacks are getting more sophisticated. The greatest thing risk managers can do is to plan ahead, and that includes acknowledging that you could find yourself in this situation in which all the very good safeguards and protections you installed have been overcome and you find yourself with a significant disruption of services,” he says.

This part of the plan should specify the response plan for a cyberattack in the same way most hospitals have created detailed response plans for natural disasters, fires, and other crises, Rosenthal says. There should be a detailed plan for who should be notified, who addresses various needs and concerns, how to take networks offline, how to access backup data and who will do so, and more.

Cyber Insurance May Not Apply

Cyber insurance can offer another layer of protection, but the applicability to cases alleging patient harm from a cyberattack is unclear. Policies might offer coverage for harm caused directly to the policyholder, or they may offer third-party coverage that applies when someone else is harmed because of the cyberattack on the hospital, Rosenthal notes.

A professional liability policy also could come into play. Theoretically, a healthcare organization could draw on one or both types of insurance coverage when a patient is harmed by a cyberattack.

“Know what your cyber policy covers, and keep it handy so that when things start to happen you can refresh yourself on what is covered and who you are going to call if there is an issue,” Rosenthal says. “Many of these policies ask when you’re applying for the policy what kind of network controls you have in place, and the insurer requires that you maintain those protections. It is important to make sure you are staying up to date and not jeopardizing your coverage.”

In the past, third-party harm from a cyberattack probably would have been covered by a professional liability policy because cyber liability exclusions were uncommon, says Dan Hanson, CPCU, senior vice president for management liability with the Marsh & McLennan Agency in Minneapolis. That has recently changed.

“Now that policy is likely going to have a strict cyber liability exclusion on it, meaning they are pushing all that exposure over to the cyber liability policy,” Hanson explains. “If they find that 100% of the cause of bodily injury was the cyberattack, and that policy has to cover it all, I would guess there’s going to be a bodily injury exclusion in that cyber policy. You potentially would have a gap in coverage.”

The cyber insurance policy more commonly covers the costs of investigation, data restoration, and other expenses related to the cyberattack, but third-party damage exclusions are becoming more common and broader, Hanson says.

Similar lawsuits are likely to follow, at least in the short term, says Thomas Finn, director of market development for Medigate, a healthcare cybersecurity company based in St. Simons Island, GA.

“I think we will see health systems succumb to mounting regulatory-, business-, and board-driven pressures to harden their security infrastructures, and, as a result, achieve some level of protection from such liabilities in the medium to long term,” Finn says. “I’m not going to argue that a patient death caused by an unreported successful breach will ultimately fall under a force majeure clause. What I’m saying is that any such future protections, insurance coverage, and regulatory relief will all be predicated on the health system having invested in and achieved a modern standard of protection against cyberattacks.”

If the health system is negligent in this respect, it will not be able to buy any protection and will not stay in business, Finn says. But if they do, they will largely be covered against such claims.

“In this case, the fact that the breach and related consequences had not been reported means the plaintiff here is highly likely to prevail,” he says.

Healthcare cyber insurance underwriting and credit ratings all will be based on how up to date the health system’s security infrastructure is. “Surprisingly, our government does not want to bury our health systems in penalties and liabilities,” Finn says. “But everyone in the know is saying that the health systems must be part of the solution or all bets are off.”

Hospitals and health systems would be wise to investigate emerging protection standards driven by federal regulations, cyber insurance, and credit bureaus. They must conduct business with all three entities anyway, so they might as well do what they can to satisfy them, Finn says.

Insurance carriers and credit bureaus — not the government — will conduct security risk assessments and point out infrastructural weaknesses that, if addressed, will lower premium costs and help address negative credit consequences.

“Health systems have nothing but positive reinforcement around making the right investments to harden their security. A hardened security infrastructure is operationally more efficient and is cost-effective from an insurance, credit, and potential fines or penalties that the government would seek to collect,” Finn says. “Health systems also should learn how to scope their attack restoration costs. Assuming they do get hit, how much coverage do they need, and where do they need relief? Amazingly, most health systems really don’t understand the extent of the damage caused by a successful breach.”

A firm policy of never paying ransom is feasible only if the government guarantees restoration cost coverage, says Finn, who does not see this happening.

“I do see some combination of public and private relief coalescing, but that will be dependent on the quality of the health systems defenses,” he says. “In other words, there is no solution for the health system that will work if they don’t wisely invest in their security infrastructures.”

The fact the breach went unreported “was nuts. Hard to believe,” Finn says. The hospital did not immediately report a HIPAA breach, and issued a press statement acknowledging a security incident a week into the ransomware period, on the day the plaintiff delivered her baby. The plaintiff alleged she did not know of any cyberattack or compromised operations when she entered the hospital.

The breach of protected health information (PHI) poses a serious liability risk, aside from any patient safety issues related to the attack, Finn says. About one-third of healthcare facilities hit by ransomware will pay the ransom, and data access will be restored by the cybercriminal in 69% of those cases, Finn says. Those organizations usually think that means they are protected from lawsuits.

“Of course, they’re not. This scenario just played out in Massachusetts” after a cyberattack breached PHI, Finn says. “The plaintiff lawyers said payment of the ransom was an admission of guilt, and they would not accept the word of the cybercriminal as evidence that stolen patient data had been destroyed.”

Hospitals and health systems must harden their security infrastructures and protect themselves from cyberthreats, be immediately transparent about any breach or disruption, and always must demonstrate they are doing everything they can to prevent cyberattacks.

“If a hospital behaves in this way, they will be best positioned to deal with the restoration costs and move on. If they don’t, they leave themselves open to fines, fees, and astronomical, untold liabilities,” Finn says.

SOURCES

  • Thomas Finn, Director, Market Development, Medigate, St. Simons Island, GA. Phone: (855) 908-0775.
  • Dan Hanson, CPCU, Senior Vice President, Management Liability, Marsh & McLennan Agency, Minneapolis. Phone: (763) 548-8599. Email: dan.hanson@marshmma.com.
  • Jason Rosenthal, JD, Principal, Much Shelist, Chicago. Phone: (312) 521-2437. Email: jrosenthal@muchlaw.com.