The Law Offices of Sanford F. Young, P.C.

Getting results since 1978

Can hospitals be liable for patient harm caused by cyberattacks?

On Behalf of | Mar 6, 2024 | Medical Malpractice

Most people are familiar with cyberattacks – or, as they’re often called, ransomware attacks. They involve hackers getting into a supposedly secure system and taking it over. Those who need to use the system can’t do so until they pay a ransom to the hackers.

A cyberattack not only can prevent a business or organization from doing crucial work. It compromises data that is supposed to remain secured. Hackers can potentially release anything from trade secrets to highly personal customer and employee information or use it for their own purposes.

Hospitals have become a popular target of hackers because in addition to the sensitive information their systems house, they depend on them for patient care. Everything from monitoring and imaging equipment to electronic health record (EHR) systems and more can stop functioning during a ransomware attack. This, of course, compromises the health and safety of everyone relying on the hospital for care. It’s no wonder that they, like other victims, often just pay the ransom rather than let the attack continue.

Do we know how many patients have died as the result of cyberattacks?

While collecting data on fatalities and other negative patient outcomes due to cyberattacks is still in the relatively early stages, there’s no question that lives have been lost. According to one study, cyberattacks increased the fatality rate of patients from 3% to 4%. The impact is likely much higher because determining whether someone died because of a cyberattack can be tricky. Furthermore, hospitals don’t always acknowledge these attacks publicly.

Can hospitals be held liable for malpractice if someone is harmed or dies as the result of an attack? These malpractice claims are still relatively rare. However, they are occurring. One of the first involved the death of an infant who wasn’t able to have her fetal heart rate and other vital signs monitored properly during and after her birth. On top of that, according to the lawsuit, hospital staff didn’t notify the mother of their inability to monitor her newborn. 

While a hospital generally isn’t responsible for a cyberattack unless it failed to put proper safeguards in place, it is responsible for providing patients with the care they need. If they fail to take alternative steps to do that, transfer a patient if necessary or even alert patients and their families to the situation, they can potentially be held liable for malpractice. If you or a loved one has been one of these victims, it’s smart to get a legal perspective on your options for justice and compensation.