Mobile, Alabama Hospital Refuses to Pay Settlement in Landmark Ransomware Death Lawsuit

Springhill Medical Center, a hospital in Mobile, Alabama, reportedly agreed to a settlement with plaintiff Terianni Kidd, after she sued the facility for the death of her newborn following a ransomware attack on the hospital in 2019. The details and value of the settlement have not been publicly released in this landmark medical ransomware death lawsuit, which was finalized last month.

According to court filings, lawyers claim the facility is now having “second thoughts” and is reconsidering the agreement. The plaintiff’s attorney, Lucy Tufts, has requested the Mobile County Circuit judge enforce the previous settlement agreement with Springhill Medical Center. She claims the facility is “attempting to redefine its terms to increase opportunities for clawbacks,” according to a report from Lagniappe, a South Alabama news organization.

Kidd’s newborn suffered a fatal brain injury during the ransomware attack, which crippled critical monitoring systems in the facility’s labor and delivery unit.

Cybersecurity expert Dr. Saif Abded submitted a clinical risk analysis as part of the case, which assessed whether an adverse change in the clinical risk profile of the Springhill Medical Center Labor and Delivery Unit (SMC LDU) happened following the ransomware attack. The report concluded that clinical risks for the plaintiff increased due to the unavailable technology, with no standardized process to manage these risks and no proper communication of these risks:

In summary, our consultants identified that there was an adverse change to the clinical risk profile of the SMC LDU prior to and including the admission and discharge period of TK due to the loss of availability of the aforementioned technology platforms. Additionally, there was no structured or standardized process in place within the SMC LDU to mitigate the negative clinical risks which emerged. Finally, there as no evidence seen that the change in the risk profile of the SMC LDU was communicated to TK or KP in a proactive or appropriately detailed manner. Consequently, neither party could be considered appropriately informed in their understanding of the clinical risks that could manifest as part of the admission of TK to the SMC LDU in July 2019.

The mother claimed in the lawsuit that she was led to believe the facility was facing a WiFi outage. An SMC employee who worked at the facility during the time of the attack commented on Reddit about the incident, stating that it took 3-4 months for full functionality to be restored:

I worked there during the attack. You couldn’t look up a patient’s drug allergies, or their airway history if they were having surgery. It was a complete shit show and it went on like this at some level for months.

I still don’t think people in Mobile really grasp how bad it was. At the very least, the hospital should have cancelled all scheduled surgeries and high risk deliveries and coordinated with other hospitals to get those patients transferred. They threatened to shitcan us if we told patients anything or talked to the media. Hospital administration killed this baby, and I’m glad this stuff is being exposed. Better late than never.

According to stats from Emisoft, ransomware attacks are estimated to have killed up to 67 Medicare patients between 2016 and 2021. In 2023, Emisoft tracked 2,207 US hospitals, schools, and governments that were directly impacted by ransomware, with many more being indirectly impacted via attacks on their supply chains.

Ascension has already been hit with two proposed class-action lawsuits one week after a ransomware attack disrupted its operations. Complaints were filed in district courts in Illinois and Texas after a cyberattack took systems offline for Ascension’s 140-hospital portfolio. Plaintiffs allege Ascension neglected to encrypt patient data and leaves victims “at a heightened risk of identity theft for years to come.”

Halcyon published a report on the patient risks associated with the attack on Ascension, where patients are being treated without access to critical healthcare records. The staff has reportedly been forced to depend on manual paper-and-pen systems in the treatment of patients, which one nurse described as “pure and utter chaos from the second you walk into the door.”

This settlement in the case against Springhill Medical Center sets a significant precedent for similar future cases, highlighting the increased accountability hospitals face for securing their IT systems and protecting patient safety during cyber incidents. There are several layers of impact in terms of legal, financial, and operational repercussions for healthcare facilities moving forward.

This case may contribute to prompting regulatory changes that could encourage hospitals to implement more robust communication protocols to ensure patients and their families are adequately informed about potential risks. Patients deserve to know if the hospital is under attack so they can make critical decisions about their healthcare.