This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.
Zoe Thomas: This is your Tech News Briefing for Monday, October 4th. I’m Zoe Thomas for the Wall Street Journal. For years, cyber security experts have warned that ransomware attacks would come to affect people’s lives in serious ways. The death of a baby may be one of the saddest examples yet. A mother in Alabama is suing the hospital where she gave birth and the doctor who delivered her baby, claiming that you would have gone somewhere else, if she had known about the cyber attack on its systems and its impact on the hospital’s operations.
On today’s show, reporter Kevin Poulsen, who’s been looking into the case, joins us to discuss how this tragic event unfolded, and what it tells us about the increasing risks from cyber attacks. That’s after these headlines.
The whistleblower who gathered documents that formed the foundation of the Wall Street Journal’s Facebook File series has revealed herself to the public. Francis Haugen is a former Facebook product manager. She says she was hired to help protect against election interference on Facebook, and left the company in May, after nearly two years. Here she is in an interview with our sister podcast, The Journal.
Francis Haugen: The thing I want everyone to know is that Facebook is far, far more dangerous than anyone knows. It is accountable to no one, and it is getting worse. We can’t expect it to fix itself on its own.
Zoe Thomas: The documents Haugen gathered showed Facebook knew from its own internal research that its platform could have harmful effects on young users, allow misinformation to spread, and that its algorithms foster discord. She says by the end of her time at Facebook, she came to believe that people outside the company, including lawmakers and regulators, should know what she had discovered.
Francis Haugen: And the thing I wanted was for the public to have enough information that they could make choices on what laws to have to regulate Facebook. And so just bringing my disclosure out has accomplished what I wanted to see.
Zoe Thomas: In a written statement, Facebook responded saying that their teams have to, quote, balance protecting the rights of billions of people to express themselves openly, with the need to keep the platform a safe and positive place. Haugen is scheduled to testify before Congress on Tuesday. You can hear more from Haugen before that on our sister podcast, The Journal.
The Federal Aviation Administration says it’s reviewing a letter signed by a former employee at Blue Origin. The letter claims that the space company prioritized speed over safety on some of its rockets. It also alleges that the company was focused on competition with other space industry billionaires, in that leaders wanted to demonstrate progress to Blue Origin’s founder, Jeff Bezos, by scaling up the number of flights on its New Shepard rocket. Blue Origin said in statement it stands by its safety record, and that the employee who publicly signed the letter was fired for cause two years ago.
Okay, coming up. A ransomware attack at a hospital may have played a role in the death of baby. Should the hospital or doctor have warned the mother about the strike? That’s after the break.
On July 16th, 2019, a pregnant woman, Teiranni Kidd, walked in to Springhill Medical Center in Alabama. She was hoping to soon be able to take home a healthy baby girl. What Kidd didn’t know was that the hospital had been in the midst of a ransomware attack for the past week, and that to contain the damage, the hospital had shut down some of their computer networks, including the network that connected vital sign monitors to the maternity ward nurses station.
Teiranni Kidd now alleges in a lawsuit that those shutdowns led to her daughter suffering brain damage during birth, and eventually brought on the baby’s death. This is the first case in the US to directly link a ransomware attack to a fatality. Reporter Kevin Poulsen has been looking into the case, and the arguments both sides will make about the role the cyber attack played. He joins me now. Hi, Kevin.
Kevin Poulsen: Hi.
Zoe Thomas: Tell me a little bit about Ms. Kidd and what happened to her daughter.
Kevin Poulsen: She was scheduled for a labor induction. She had a normal pregnancy up until that point, but she had high blood pressure, so they wanted to induce. And everything looked normal until a couple of hours before she actually delivered the baby, when a heart monitor that was monitoring the fetal heartbeat started picking up anomalies.
Zoe Thomas: Okay. So where does the ransomware attack come into this?
Kevin Poulsen: The hospital was hit with this cyber attack, and their response to the ransomware attack was to not negotiate. And instead, they actually on their own, shut down their network. So all of these computers that were used to do things like access patient’s history and monitor vital signs, all these systems were down.
This wound up affecting Ms. Kidd, because one of the systems that had been taken down was responsible for monitoring the fetal heartbeat and transmitting it to the nurses station, where all the fetal heartbeats were monitored continuously by the nurses that are staffed there. That system was down. And in fact, the monitor wound up picking up some anomalies that essentially nobody saw, except for the single nurse potentially that was assigned to Ms. Kidd.
So the allegation here is that the number of eyes, basically, that were on this data was reduced dramatically by the ransomware. And that as a result of that, this was missed. The baby was born with the umbilical cord wrapped around her neck. And as laid out by the plaintiffs in the case, that apparently cut off the flow of oxygen to the baby who was born with severe brain damage, and ultimately died nine months later.
Zoe Thomas: So the hospital had a backup plan. It didn’t have its main monitor, but it had these in-room monitors, that individual nurses were going to be able to keep watch on. Was there a clear sign that Ms. Kidd’s child was in distress?
Kevin Poulsen: That’s one of the things that’s going to have to be demonstrated in court. But according to the account provided by Ms. Kidd’s attorneys, about an hour before the delivery, the bedside fetal heart monitor recorded a speeding up of the baby’s pulse. And the medical experts we spoke with, said that that can be an indicator that an umbilical cord has become constricted.
In this case, they went ahead with the delivery, and it’s unclear whether this warning sign was missed by the attending nurse, or interpreted in a different way. But the theory of the case is that if it had gone not just to the bedside monitor, but also to this large display at the nurses station, where there were five or six nurses with eyes on it, that they might’ve picked it up. Might’ve seen that it was an anomaly. And when the obstetrician came to handle the delivery, she would have been armed with that information and would have delivered by C-section instead.
Zoe Thomas: How are Ms. Kidd’s lawyers planning to demonstrate that the baby’s death and the ransomware attack were linked?
Kevin Poulsen: So the trial is still a long ways off. What we know about the case that they’re making primarily comes from what’s been filed in court. And that includes things like text messages between the obstetrician that delivered the baby, and the nurse that ran the delivery unit, the department at the hospital. Where the doctor who delivered the baby actually says, after reviewing the information from this heart monitoring equipment, actually says, “Why wasn’t I notified about what this was picking up, prior to the delivery?” And she says something that indicates that she would have delivered by C-section, if she had seen what it was that the monitor was recording.
A lot of the circumstances of this birth have not been disputed by the hospital. We know that this central monitoring of the fetal heartbeat from the nurses station was down. That is confirmed. So the question, I guess, that they’d have to address at trial, would be can they prove that the information conveyed by the monitor would have resulted in a different outcome, had it been seen by more people, had more nurses been able to access it from the nurses station? That’s one of the hurdles that they’ll have to clear.
Zoe Thomas: The hospital and the obstetrician, Dr. Parnell, are being sued. We know from the court filings that Dr. Parnell said she had been aware of the cyber attack, but believed Ms. Kidd could safely deliver her baby at Springhill at the time she was admitted. Have we heard anything else from her, and have we heard from the hospital?
Kevin Poulsen: Dr. Parnell and her lawyers declined to comment for the story. The hospital declined to answer detailed questions, but sent me a statement saying that there was no wrongdoing on their part, defending their decision to continue operating with their networks down. So a big issue in the case is whether or not the hospital had a duty to warn Ms. Kidd when it admitted her, that they were in the middle of a ransomware attack, and that a lot of their critical systems were down.
The hospital’s position is that they had no such responsibility, but that the obstetrician may have, that the doctor knew that this incident was ongoing and that they didn’t have access to all of their systems. And she scheduled Ms. Kidd for an induced labor anyway, and it was her responsibility to let Ms. Kidd know that the hospital was in this state.
Zoe Thomas: It does seem like hospitals are the victims of cyber attacks a lot. Is there a reason they’re targeted?
Kevin Poulsen: This attack against Springhill in 2019, came in the middle of a flurry of similar attacks against other hospitals, most of which were attributed to a single Russian ransomware group, called Ryuk. And we know from things that were observed by security experts, that this was very deliberate targeting. And the theory seems to be that because these hospitals can’t afford to be without their systems, because there are lives in jeopardy, that they’re going to be motivated to deal with ransomware attackers, and to negotiate and to pay some sort of ransom.
Zoe Thomas: So if hospitals are potentially big targets, why aren’t their systems more robust when it comes to fighting off cyber attacks?
Kevin Poulsen: It’s an issue that goes beyond hospitals. Nobody is really prepared for ransomware. Ransomware opened up a whole new source of income for the underground, and sent them hacking targets that previously had no reason to be hacked. Until ransomware, there was just no reason to hack a hospital. And so hospitals had no need, there was no pressure on them to have the level of security around their networks that you would see with a bank, for example, which has been under attack by hackers for decades.
So that’s really, I think the fundamental issue here. Hospitals do have some computer security. They aren’t leaving things wide open. They just don’t have a level necessarily commensurate to the threat posed by these motivated profit-driven hackers.
Zoe Thomas: I feel like we’ve been getting these warning signs that cyber attacks are going to have some real impacts on all of our lives. Obviously, the Colonial Pipeline was a real wake up for a lot of people, when gas prices were affected. But does the fact that somebody may have died because of a cyber attack, is that one of the consequences that we might just have to deal with?
Kevin Poulsen: I would hope it’s not something that we wind up just dealing with, going forward. I think because it’s something that we’ve known was possible, that experts have warned was likely, that might already be happening at a statistical level, where it’s hard to isolate any particular case as being the result of ransomware. But overall, it’s having that kind of impact.
I think having a case where you have a specific victim and specific circumstances, and compelling evidence will raise the stakes for everybody, and the threat will be taken more seriously, and dealt with at a level more commensurate with the actual risk to public safety.
Zoe Thomas: I think one thing that might really spook people about this is the idea that when you go into a hospital, the last thing on your mind is cybersecurity. Does it seem like hospitals are going to be under pressure to make cyber attacks more public? Or is this something that people going into hospitals for a birth, or for some kind of surgery, or in an emergency, need to be thinking about?
Kevin Poulsen: Right now, there’s just no clear guidance, or direction, or standards for hospitals about what they have to disclose to the public and to their patients when they’re facing an incident like this. In this case, Springhill was very reticent to disclose anything about it to the public. And their initial characterizations of this attack to the local press have failed to capture the actual impact of the event.
In other cases, we’ve seen hospitals be much more forthright and open about it, and even identify which ransomware group they’re dealing with. So right now, it’s very inconsistent.
Zoe Thomas: All right. So we won’t know about a decision on this case for some time, but certainly it is a real tragedy what happened. Kevin Poulsen is our reporter covering this. Thanks for joining us, Kevin.
Kevin Poulsen: Thanks for having me.
Zoe Thomas: And that’s it for today’s Tech News Briefing. You can always find more tech stories on our website, wsj.com. And if you like our show, please rate and review it. You can do that wherever you get your podcasts. I’m Zoe Thomas for the Wall Street Journal. Thanks for listening.