Losing a child is every parent’s worst nightmare. When the parent believes that their baby’s death was caused by negligence, it’s especially tragic — because perhaps that loss could have been prevented.
Teiranni Kidd of Mobile, Alabama knows this all too well. She filed a lawsuit claiming that her baby’s death was the result of negligence by Springhill Medical Center.
In July 2019, Kidd gave birth to her baby daughter, Nicko Silar. At the exact time that Nicko was being born (during and immediately following delivery), the hospital was the victim of a cyberattack that resulted in several machines malfunctioning.
Nicko was born with the umbilical cord wrapped around her neck. The lack of oxygen, and the amount of time it took for the doctors to discover and remove the cord, led to brain damage. She also suffered an acute kidney injury that required her to be fed by a feeding tube until she died 9 months later.
Kidd claims that the ransomware attack caused the electronic monitoring devices to fail and that if that had not happened, the doctors would have known of the umbilical cord problem sooner and could have saved Nicko. She is suing the hospital for negligence and wrongful death.
Can a cyberattack be medical malpractice?
Medical malpractice is a form of negligence that arises when a patient is harmed because the medical professional or facility fails to perform medical duties according to the appropriate standard of care. To be found negligent, the plaintiff’s lawyer must prove that the action (or lack of action) was below the accepted standard of medical care.
It’s important to note that while medical malpractice is always negligence, not all negligence is medical malpractice. Kidd is not alleging that mistakes were made in diagnosing or treating her baby’s condition, but rather that the hospital was negligent in not properly taking additional steps to monitor her baby during the cyberattack. Even so, medical malpractice can include the failure to perform appropriate patient monitoring and to respond quickly enough to a problem.
The normal standard of care in Springhill Medical Center is that the laboring person and the baby have their vital signs constantly monitored. The stats are visible on a screen at the nurses’ station. If anything begins to go awry, the nurses immediately alert physicians for medical intervention.
However, when Kidd was in labor with Nicko, the system had been locked down by hackers demanding a ransom payment from the hospital. Since the regular monitors were unavailable during the attack, the nurses had to rely on a bedside printout. However, this method does not provide instant alerts if something is wrong. Kidd’s attorney claimed that this process led to “significant gaps in fetal tracing” during her delivery. Kidd also had gestational hypertension, which is a high-risk condition.
Kidd said in the complaint that if she’d been aware of the cyberattack and how it would affect her delivery, she would not have chosen to give birth at that hospital at the time.
Does the hospital have a defense?
The court battle is just beginning for Kidd.
However, the hospital’s representative has said that the center was not negligent. He said that during the time that the hospital was under cyberattack, it implemented “downtime procedures in place for planned and unplanned downtime” because the hospital was prepared to operate under a crisis situation.
Further, the hospital’s attorney noted that crisis situations can include hurricanes or other natural disasters that can also affect electronic systems.
Who is liable for a cyberattack?
Most cyberattacks involve data security breaches or the loss of personal information to a third party. Unauthorized sharing of personal information can definitely be damaging, but unless the plaintiff can prove actual damages, a lawsuit is unlikely to be successful.
U.S. law holds that in a cloud computing environment, it’s the owner of the data that faces liability for losses related to a data breach. Even if the entity (like a retailer) outsources data security to another firm, it’s ultimately the responsibility of the data holder to ensure that information is maintained safely.
Usually, a company is held liable for a data breach or cyber intrusion under these conditions:
- It failed to use reasonable security measures or safeguards (or as required by statute).
- It failed to remedy or mitigate the damage after a breach.
- It failed to timely notify people affected.
Of course, you may be thinking:
But the cyberattack at Springhill Medical Center could have caused Nicko to die. That’s different from a data breach!
Yes, very true.
On Oct. 28, 2020, staff at the University of Vermont began alerting their IT team that there were strange problems happening with computer functions. The attack resulted in issues with electronic health records, payroll, appointment scheduling and tracking, and other systems.
It took several days to get the system back online and functioning properly. In the meantime, cancer patients had to find alternate locations for radiation treatments, surgeries had to be rescheduled, and patient care was affected in several other ways.
When the Universal Health hospital chain, which operates in several states, suffered a cyberattack, it had to relocate surgical patients and divert ambulances to other facilities.
Hackers know that a hospital is one of the most vulnerable entities because they rely so heavily on technology and they literally have lives hanging in the balance… which is why a ransomware attack can be very profitable for a hacker.
Negligent cybersecurity that results in injuries
The purpose of personal injury law is to recover damages that compensate a plaintiff (injured person) for the financial cost of the injury. If you’re injured in a car accident, for instance, the amount of damages you can claim would be the cost of your expenses for medical treatment, lost wages, and other costs related to the physical injuries.
The same could apply to a hospital that was negligent in not taking proper care of patients during a cyberattack. In the case of Baby Nicko, her parents filed a wrongful death claim alleging that since the hospital knew the machine wasn’t working, the staff should have taken other measures to monitor the baby’s health.
What is the hospital’s responsibility during a cyberattack?
Whether or not the hospital is held liable for failed systems in a cyberattack (and to what extent) depends on factors that include:
- The type of attack (how systems were affected)
- Whether the system failures were intentional or negligent
- What actions the hospital took to mitigate damage during the attack
- What types of preventive measures were in place prior to the attack
- Whether similar attacks have happened in the past
- What the hospital did (and how quickly) to ensure continuity and quality of patient care
Incident preparation and risk management, along with incident response planning, must be integral to a hospital’s functioning.
Baby Nicko’s case has not yet completed its journey through the court system. However, it could set precedent for cases that are bound to come later. As the healthcare industry increases its use of sophisticated technology (and hackers also become more sophisticated), there will be more and more instances when a hack or other type of electronic downtime could affect systems related to patient care.
A hospital could be negligent if it failed to have the appropriate safeguards and contingency planning for an unexpected event and if that event caused you an injury.
Even the fact that a hospital might contract with an outside vendor for cybersecurity is not enough. It must still have procedures and staff training to manage without certain electronics if systems go down.
For instance, the nurses overseeing Kidd’s delivery of Nicko knew that they couldn’t see the monitoring on their screen at the nurses’ station. They also knew that the fetal monitor would be producing and printing a reading of Nicko’s heart rate and other health indicators at Kidd’s bedside. Therefore, Kidd’s lawyer might argue that the nurses should have been more proactive in watching the printed readings to know if Nicko was in distress, even though they could not see the readings via their usual procedure at the nurses’ station.
The lawyer might be able to successfully argue that if the doctors and nurses had been vigilant in checking the machines at Kidd’s bedside — even though electronic monitoring systems were down — they would have known sooner that Nicko was in distress and the doctor could have delivered the baby sooner, which could have saved her life.
However, the plaintiff would also need to prove that Nicko’s death was the result of the failure to properly follow the fetal monitors and that she did not have some condition that would have led to injuries and death that was unrelated to the fetal monitoring. In other words, Nicko would not have suffered kidney damage and died if she had been properly monitored and delivered differently or faster.