By Keri Forsythe-Stephens

From a medical cybersecurity perspective, it was a significant—albeit grim—milestone. The family of infant Nicko Silar filed a lawsuit against Mobile, Ala.-based Springhill Medical Center alleging that the three-week ransomware attack that took place at the hospital in July 2019 directly led to the child’s death.

Teiranni Kidd, Nicko’s mother, included in the lawsuit a text conversation between the OB who delivered the baby and the nurse manager, which classified the death as “preventable.” In the texts, the doctor said she “100%” would have performed a C-section on Kidd if she knew that the baby’s heart rate was accelerating. Tragically, the vital signs monitors that could have alerted her about the emergency—caused by the umbilical cord being wrapped around Nicko’s neck—were affected by the cyberattack. Nicko died nine months later due to severe brain damage, according to court documents.

Keri Forsythe-Stephens, Chief Editor

Not only did the cyberattack impact fetal monitoring equipment—Springhill Medical Center refused to pay the hackers’ ransom—electronic heath records and the wireless tracking system used to locate staff were also impaired. Kidd said she was unaware about this situation when she arrived at the hospital to be induced, however. 

“Upon information and belief, the only fetal tracing that was available to healthcare providers during Teiranni’s admission was the paper record at her bedside,” according to legal documents.

Jeffery St. Clair, Springhill Medical Center’s CEO, denies any malpractice. “We stayed open and our dedicated healthcare workers continued to care for our patients because the patients needed us and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so,” he told The Wall Street Journal.

To Josephine Wolff, an assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy, the issue is multifaceted. “Even though Springhill didn’t immediately publicly acknowledge the attack, the day Kidd was admitted to the hospital, it issued a press statement saying it had suffered a security incident, though it didn’t specify that the incident was a ransomware attack,” Wolff ruminated in a Slate column. “So, by the time Kidd entered the hospital, the ransomware attack—already more than a week old—certainly wasn’t a secret, but neither had the hospital been entirely transparent about what was going on.”

What do you think? Should Springhill Medical Center be held liable for Nicko’s death or not? Let me know at kstephens@medqor.com.

Keri Forsythe-Stephens is chief editor of 24×7.