Anatomy of a Breach

Anatomy of a Breach: Düsseldorf University Hospital — The First Ransomware-Linked Death

> series: anatomy_of_a_breach —— part: 141 —— target: dusseldorf_university_hospital —— consequence: patient_death —— vulnerability: citrix_cve-2019-19781<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2020 14 min read
ransomware hospital dusseldorf patient-death healthcare citrix patching series
Breach #141

A hospital. Ransomware. A patient diverted. She died.

On 10 September 2020, Düsseldorf University Hospital in Germany was hit by DoppelPaymer ransomware that encrypted 30 servers, disabling the hospital's IT systems and forcing it to deregister from providing emergency care. A woman requiring urgent treatment for a life-threatening condition was diverted from Düsseldorf to a hospital in Wuppertal, approximately 30 kilometres away. She died during the extended journey — the delay caused by the ransomware-forced diversion contributing to the fatal outcome.

German prosecutors initially investigated the case as negligent homicide linked to the ransomware attack — the first such investigation in history. The prosecution was ultimately dropped because medical experts could not conclusively prove that the diversion alone caused the death. But the case crossed a threshold that the cybersecurity community had long warned about: ransomware against healthcare infrastructure can have lethal consequences. The attack exploited CVE-2019-19781, a critical vulnerability in Citrix ADC/Gateway VPN appliances that had been publicly disclosed in December 2019 and patched in January 2020 — nine months before the attack.

Ransomware Kills
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The theoretical became reality. Ransomware against healthcare has lethal consequences.

Since Hollywood Presbyterian (2016) and WannaCry's devastation of the NHS (2017), this series has warned that ransomware against healthcare can endanger patients. Düsseldorf proved it: a patient died because a hospital's emergency department was unavailable due to ransomware. The theoretical risk became a documented fatality.

Healthcare Ransomware Is Now a Lethal Threat
The Düsseldorf case proved that ransomware against hospitals can result in patient deaths — transforming it from a cybercrime issue into a public health emergency. For UK <a href="/blog/sector-under-the-microscope-healthcare">healthcare organisations</a>, ransomware resilience is patient safety. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> provides the 24/7 monitoring that detects ransomware before it encrypts.
Nine Months After the Patch — Again
CVE-2019-19781 was patched in January 2020. Düsseldorf was attacked in September 2020 — nine months later. The pattern is identical to <a href="/blog/anatomy-of-a-breach-wannacry">WannaCry</a> (59 days), <a href="/blog/anatomy-of-a-breach-equifax">Equifax</a> (2 months), and <a href="/blog/anatomy-of-a-breach-baltimore-ransomware">Baltimore</a> (26 months): known vulnerability, available patch, not applied. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day critical patching.
VPN as Entry Point
The Citrix VPN vulnerability was the entry point — the same pattern seen at <a href="/blog/anatomy-of-a-breach-2019-year-review">Travelex</a> (Pulse Secure VPN). VPN appliances sit at the network perimeter and, when compromised, provide direct access to internal systems. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies unpatched VPN appliances. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses VPN security.
Negligent Homicide Investigation
German prosecutors investigated the case as negligent homicide — establishing a legal precedent that ransomware attacks causing patient deaths could result in criminal charges against the attackers. For healthcare organisations, the Düsseldorf case means that cybersecurity failures that contribute to patient deaths may also create liability for the organisations themselves.
This Must Not Happen Again

Patch. Monitor. Prepare. Because the next death will not be investigated as negligent homicide against attackers alone.

The Düsseldorf case demands action from every UK healthcare organisation. Cyber Essentials Danzell's 14-day patching mandate exists for this exact scenario. Vulnerability scanning identifies the unpatched Citrix, Pulse Secure, and other VPN appliances that attackers target. SOC in a Box for Healthcare provides 24/7 monitoring that detects ransomware deployment. Infrastructure testing validates backup integrity and recovery procedures. And UK Cyber Defence provides the incident response capability that keeps hospitals operational during attacks. Because the next ransomware fatality is not a question of if — it is a question of when and where.

Patient Safety Is Cybersecurity

A patient died because a hospital was hit by ransomware through an unpatched VPN. Is your healthcare organisation patched?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds unpatched VPNs. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> detects ransomware. Because patient safety is cybersecurity.

Commission a Healthcare Assessment Next: Hackney Council
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2016

Anatomy of a Breach: Hollywood Presbyterian — The Hospital That Paid $17,000 in Bitcoin to Get Its Systems Back

Breach #086. In February 2016, Hollywood Presbyterian Medical Center in Los Angeles was hit by ransomware that encrypted its systems and demanded 40 Bitcoin (approximately $17,000) for the decryption key. The hospital, unable to access patient records, email, or lab results for over a week, paid the ransom. The incident — one of the first high-profile ransomware attacks on a hospital — foreshadowed the epidemic that would devastate healthcare worldwide, culminating in the WannaCry attack on the NHS in 2017.

ransomware hollywood-presbyterian
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
All Posts Get in Touch