Press "Enter" to skip to content

Is the Düsseldorf cyberattack really the first to result in death?

German authorities are investigating what may be, as no shortage of media coverage has posited, the world’s first death linked to a cyberattack.

As the reports go: A ransomware-crippled clinic in Düsseldorf, Germany, turned away an ambulance bearing someone in need of emergency care earlier this month. The 78-year-old patient, who was suffering an aortic aneurism, died after being rerouted to another facility. (It is not clear whether quicker medical intervention would have saved her life.)

The incident represents a grievous health-care failure in a year full of them. Yet whenever I read “first,” my journalistic skepticism sensors go blaring. It takes only one example to disprove a supposed first. And as the Old Testament has long instructed humanity, there is nothing new under the sun.

What qualifies as a death linked to a cyberattack? Does the U.S. military blowing up an enemy combatant—or an innocent bystander, for that matter—by remotely detonating an improvised explosive device via hijacked cellular signal count? Or how about if a government—the Communist Party of China, say—kills moles and CIA informants after learning their identities, having hacked the covert communications network by which they communicate? How exactly does one define “cyberattack,” and when can it be said to result in death?

Perhaps one might grant that the Düsseldorf incident represents the first explicitly recorded case of a cyberattack leading to the death of a civilian. But even then, the data appear to indicate otherwise.

A study published last fall in Health Services Research, a health-care journal, suggests that cyberattacks have been killing people for years. The researchers, surveying Department of Health and Human Services records pertaining to more than 3,000 U.S. hospitals between 2012 and 2016, found an uptick in deaths at hospitals that recently suffered data breaches and ransomware attacks.

Hospitals that had been hit with such cyberattacks in the past three years were, on average, 2.7 minutes slower to take patient electrocardiograms—and their patients were 0.36% likelier to die of a heart attack. “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors concluded, in that jargony, passive voice of institutional science that so effectively disguises tragedy.

The uptick may seem like a small one, but it is real—and devastating. Across the whole health-care system, meager increases in mortality rates have profound impacts. These are people’s lives we’re dealing with; basis points represent parents, siblings, loved ones.

The Düsseldorf hackers are still at large—as are so many other deplorable hospital-extorting cybercriminals. Christoph Hebbecker, head of the cybercrime unit in Cologne, told me his team has opened a negligent homicide investigation and is pursuing leads. “There are no specific persons under investigation right now,” Hebbecker said in an email. “We are investigating in all directions.”

This may not, in actuality, be the first civilian casualty linked to a cyberattack. But it is heartbreaking nonetheless.

***

Thank you to everyone who wrote in about my Apple Watch dilemma. So many people shared their opinions! The winner of my online poll was, as Aaron alluded to last week, clear: the Apple Watch Series 6. Of course, it is the most expensive option. (You can read Aaron’s review here.)

Now I just have to decide on the finish and wristband…

Robert Hackett

Twitter: @rhhackett

[email protected]