Because the Düsseldorf university clinic was paralyzed by a blackmail Trojan, a woman in danger of death had to be diverted. She died during treatment. The hackers accidentally attacked the hospital. However, their repentance came too late.
The Düsseldorf University Clinic had a digital heart attack last week: phones, emails, access to patient data – almost everything suddenly stopped. The largest hospital in the state capital canceled the emergency care and operations were canceled. Rumors of a hacker attack that had lasted for days were only confirmed in the state parliament a week later on Thursday. The government announced: 30 servers in the university clinic had been digitally locked by hackers. After the perpetrators realized what they had done, they handed out a virtual key. But by then it was obviously too late.
The Minister of Justice summarized the cyber crime thriller in a report for the state parliament: According to this, the hackers had left a blackmail letter on a server – but addressed to the Heinrich Heine University in Düsseldorf. In the letter, the blackmailers asked to be contacted without giving any amount of money.
The investigators used the channel offered and informed the perpetrators that their hacking attack did not attack the university with its professors and students, but the affiliated hospital. This puts patients at considerable risk. Almost unbelievable: According to the Justice Department, the hackers withdrew their blackmail. Remorsefully, they sent a key to unlock the data. It is assumed that the university clinic only fell victim by chance, said a spokesman for the public prosecutor’s central and contact point Cybercrime North Rhine-Westphalia (ZAC) on Thursday.
A coincidence with dramatic consequences: According to the Justice Ministry, a life-threatening patient should have been admitted to the university clinic one night after the system failure. Because this did not work, she was taken to a more distant hospital in Wuppertal. Your treatment could only take place one hour late. She died a little later, the Justice Minister said in his report.
A spokesman for the Düsseldorf University Clinic emphasized on Thursday that his house had already been deregistered from emergency care that night. Ambulances would no longer have approached the clinic. According to the report to the state parliament, the cyber investigation authority ZAC is still checking whether it will take on the investigation – and the procedure may be expanded to include accusations of negligent homicide. The decisive factor could be whether, according to the autopsy, the woman would have died had it not been for the delay. If the woman actually died as a result of the attack, she would be the world’s first clearly verifiable fatality from a hacker attack.
The loophole was known
In the meantime, the ZAC experts have already reconstructed the security gap with the university clinic: It was in a commercially available software that is used around the world and is used in many companies. According to the Federal Office for Information Security (BSI), it was a Citrix program. A vulnerability in the company’s VPN products that has been known since January is being exploited for cyber attacks.
According to the previous knowledge, no data was stolen or irretrievably deleted during the hacker attack. The clinic expects, however, that it will take some time before patients can be treated normally again. At first no more was known about the hackers. After handing over the digital key, they did not respond to any further attempts at contact by the police.
There is some evidence that the attackers’ program could have been Emotet, which the BSI recently described as the “king of malware”. The software is distributed, among other things, via the aforementioned VPN programs, which many people use to access the company’s own systems in the home office during Corona times. Emotet is initially geared towards spying on infected corporate networks. The program can then reload further malware – and lock away all data.
On the website of the university clinic – which is still working – it said on Thursday that the telephone connections were also available again, with a few exceptions. The clinic can no longer be reached by email. The house remains deregistered from emergency care for the time being. After the digital heart attack, rehab is now beginning.