Modernize Path

Stuff that matters

German prosecutors have opened a homicide investigation into the case of a patient who died after a hospital in the city of Düsseldorf was unable to admit her because its systems had been knocked out by a cyber-attack.

The female patient, suffering from a life-threatening illness, had to be turned away on the night of 11 September by the city’s university hospital and died after the ambulance carrying her was diverted to Wuppertal, 30 km (20 miles) away.

Prosecutor Christoph Hebbecker, head of the cybercrime unit in Cologne, said he had opened an investigation into negligent homicide against unknown persons, the Kölner Stadt-Anzeiger daily reported. Hebbecker could not be reached for comment.

If the investigation leads to a prosecution, it would be the first confirmed case in which a person has died as the direct consequence of a cyber-attack.

The university clinic in Düsseldorf, capital of Germany’s most populous state of North Rhine-Westphalia, was hit by a ransomware attack on 10 September that penetrated its systems via a flaw in a Citrix VPN system.

The hospital’s IT operations remain affected and it is still unable to admit patients brought in by ambulance, it said on Friday.

Germany’s cybersecurity agency, the Federal Office for Information Security, was called in to shore up the hospital’s systems. Its chief, Arne Schönbohm, said the Citrix flaw had been known about since December 2019 and called on healthcare facilities not to delay IT security upgrades.

“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” Schönbohm said in a statement. “This incident shows once again how seriously this danger must be taken.”

Ciaran Martin, who stepped down as the head of Britain’s National Cyber Security Centre this month, said the incident could be prove to be first death caused by a cyber-attack.

“If confirmed, this tragedy would be the first case I know of, anywhere in the world, where the death of a human life can be linked in any way to a cyber-attack,” he told an event in London.