On 11 September 2020, one of the first cases of death by ransomware hit the news. The Düsseldorf University Hospital in Germany was attacked hit by a ransomware campaign that disabled the hospital’s systems to the extent where it could no longer accept new admissions to its accident and emergency department. Hospital staff were forced to re-route patients to Helios University Hospital in Wuppertal, a neighbouring city, which was 19 miles away. For one patient, a 78 year old woman who was suffering from an aortic aneurysm, this proved fatal. The re-routing of her ambulance delayed her treatment by an hour and she passed away. This was suggested to be the first instance of death by ransomware.
Ransomware attacks are not new
They encrypt data which can prevent systems from functioning properly. Attackers demand a payment – usually in a cryptocurrency like Bitcoin – in return for a key which allows decryption of the data (and a restore of a systems’ functionality). Whether that key actually works or not is a gamble – many attackers provide keys that simply do nothing, duping the victim and taking their money.
In most sectors, a ransomware attack is a critical event. It can cause a business to lose access to all of its data or systems that enable it to operate. This can halt production lines, cause online shopping platforms to crash or key project data be made unavailable. But in healthcare, where doctors and medical staff rely on access to the data to provide critical care, it can be life threatening.
Ransomware: Availability vs confidentiality
In cyber security, ‘availability’ of an asset (such as data) is one of the three elements of the CIA triangle. The others – ‘confidentiality’ and ‘integrity’ – relate to data being only accessible by authorised parties and data not being modified or changed without due control.
In 2020, ransomware that only impacted availability was common. It would encrypt data, render systems unusable and ask for a payment to restore access. What was rapidly gathering popularity, however, was ransomware that would impact data confidentiality.
Attack on mental health giant
In October 2020 a system developed and owned by a company called Vastaamo – containing mental health records – was attacked. A copy of all the data on the system was sent to the attacker including names, addresses, social security numbers, email addresses, therapist notes on each private session.
Mental health patients confide their deepest fears, secrets and most traumatic events with their therapist. They may not even share these with close family and friends. For many, a therapist is a lifeline supporting conditions such as anxiety, PTSD and depression.
The attacker had a choice. Either they contact the organisation who owns the software system (Vastaamo) or the 36,000 patients they now hold data on. It is often a cost/value proposition – what will yield the better return for the least amount of effort? Unsurprisingly, the attacker targeted Vastaamo. ‘€450,000 or the data is leaked online.’
Vastaamo chose not to pay the ransom. This very quickly led to two things happening:
One – patients received a ransom email demanding a payment of €200, increasing to €500 if not paid within 24 hours. The subject line was their name, social security number and the clinic they had visited to receive treatment.
Two – the attacker posted a 10 gigabyte archive on the dark web which contained clinical notes of around 2,000 patients. This was available for all to download and view. It was a warning – ‘I will do what I say, unless you pay me.’ Some patients did pay. But many did not.
Since the attack, Vastaamo has ceased trading. It is unknown the full extent of how patients have been impacted. Support services set up by the Finnish government and healthcare service have had 22,600 victims engage with Victim Support Finland. Anxiety, insecurity and stress have been identified as key health impacts as a result of this event. But, of the patients contacted by the attacker, it will likely never be known exactly how each individual was impacted by the event, or how their health or life has changed as a result.
Another attack, this time on the NHS
On 4 August 2022, the NHS 111 service in the UK was knocked offline. The service provider had suffered a major incident which later was stated to be a ransomware attack. NHS 111 is a non-emergency service that allows the general public to get access to healthcare advice over the phone. It is free at the point of use, is used by thousands of people each day and was a key service during COVID-19.