by Kapua Iao
Article filed in

Patient dies due to a ransomware attack

by Kapua Iao

Emergency hospital building where ambulances escort patients

Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany’s cybersecurity agency, released a statement on September 17 following a patient’s death after a ransomware attack.

A woman became the first death associated with a cyberattack after the University Hospital of Düsseldorf (UKD) was forced to turn away her ambulance.

What happened?

On September 10, 2020, hackers encrypted UKD’s computer system.

The threat actors infiltrated UKD’s information system through a flaw in its Citrix virtual private network (VPN). The hackers then inserted ransomware and encrypted the hospital’s data.

RELATED: DHS Warns of VPN Vulnerabilities and Email Cyberattacks

The hospital immediately was unable to access its data; emergency patients had to be taken elsewhere and operations were postponed.

On September 11 an ambulance attempted to deliver a patient but was turned away. Unfortunately, the woman died en route to Wuppertal, 20 miles away.

A note left by the hackers (excluding a ransom amount) demanded that Heinrich Heine University, affiliated with UKD, contact them.

The hospital requested help from BSI. Authorities reached out to the threat group to inform them that the attack had endangered a hospital and its patients.

RELATED: INTERPOL Warns of Increased Ransomware Attacks on Hospitals

The group then withdrew its extortion attempt and provided a decryption key.

An investigation was subsequently launched against the unknown attackers; UKD’s computer systems remained inoperable as of BSI’s press release.

The Citrix flaw

The hackers exploited a common vulnerability and exposure (CVE) with Citrix Application Delivery Controller, which allows unknown parties to perform arbitrary code execution. Cyberattackers used this VPN vulnerability, CVE-2019-19781, to gain access to the hospital’s computer system.

In fact, cybersecurity officials have known about this issue since December 2019. A U.S. Department of Homeland/Federal Bureau of Investigation joint alert from May 2020 included CVE-2019-19781 as a vulnerability exacerbated by the pandemic and social distancing, which has lead tan increase in remote work and the cybersecurity challenges that come along with it.

RELATED: CISA and NCSC Joint Alert: Healthcare and Essential Services Targeted

Citrix released a statement in January 2020 stating that the company created its final permanent fix for the flaw. It is unknown how many organizations applied the update.

The takeaway

Head of BIS, Arne Schöenbohm, implored hospitals to utilize upgrades and patches as soon as they are available:


I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately. This incident shows once again how seriously the danger must be taken.


While healthcare organizations must focus on additional components of cybersecurity, such as HIPAA compliant email, attention must also be paid to safe technology use.

RELATED: Smart Device Security Needs Higher Priority in Healthcare

This VPN vulnerability, as well as other, similar problems, represent a threat vector, or gateway, into any system.

Updating and patching should be a standard part of every cybersecurity program.

RELATED: HSCC Requests to Include Patching in Allowable Stark Law Donations

As this case demonstrates, data breaches do not just lead to exposed protected health information, HIPAA violations, or fines. Breaches can kill people.

This is especially concerning given the coronavirus and the subsequent growth in cyberattacks over the past few months, particularly against healthcare organizations.

Try Paubox Email Suite for FREE today.