Cyber Incident Victim: Universitätsklinikum Düsseldorf
Date:
Sep 2020
Location:
Germany
Summary
A ransomware attack targeted the University Clinic in Düsseldorf, causing widespread IT system failures that forced the facility to deregister from emergency care, cancel operations, and redirect ambulances. The disruption delayed critical treatment for a patient who died after being transported to another hospital, though subsequent investigations indicated the death was not directly attributable to the attack. Threat actors initially demanded ransom from an affiliated university, suggesting the hospital may have been compromised unintentionally; they provided a decryption key upon learning of the healthcare impact but remained unidentified. The incident paralyzed clinical operations for days, highlighting severe risks to patient safety during cyberattacks on critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 10, 2020, the University Clinic in Düsseldorf experienced a widespread IT system failure caused by a ransomware attack, forcing the facility into a state of emergency. The clinic publicly announced severe operational disruptions, including limited telephone and email communications, and formally deregistered from emergency care services. All planned surgeries, outpatient treatments, and appointments were canceled or postponed, with patients instructed not to visit the facility. Emergency medical services redirected ambulances to alternative hospitals as critical systems remained inoperable. The IT paralysis persisted for multiple days, preventing normal operations from resuming. German authorities later confirmed the incident stemmed from a criminal cyberattack rather than technical malfunction.
Subsequent investigation revealed the attackers may have mistakenly targeted the hospital instead of its affiliated university, as the ransom note appeared addressed to the academic institution. Upon learning from police that their attack had impacted medical services, the threat actors provided a decryption key before becoming unreachable. A patient requiring urgent admission died after being transported to a facility 20 miles away due to the clinic's emergency care suspension, though later analysis concluded the death was not directly attributable to the treatment delay caused by the attack. The incident caused significant operational disruption, reputational damage, and temporary loss of emergency care capacity in the region. Law enforcement engaged with the attackers during the incident response, but no technical details about the ransomware variant or perpetrator identification were publicly disclosed by the clinic or authorities.