Cyberattack on Ukrainian Clinics Startles Experts

Dr. Lidiia Podkopaieva was about to click “send” on an order of new surgical instruments when her computer monitor suddenly went dark.

She speed-dialed the clinic’s technician but didn’t even have time to tell him what was wrong.

“We’re under cyberattack,” he told her. “Switch off the computer immediately.”

The call would kick off a “crazy week” as Podkopaieva and her staff struggled with the sudden loss of half the computers at the Left Bank Pediatric Clinic in Kiev, where she serves as medical director. The central phone system collapsed, digital appointments vanished and diagnostic machines dropped offline, interrupting at least one patient’s exam. Podkopaieva said no one suffered in the attack, but academics argue that even glancing blows to medical facilities like this one represent a damaging break with international norms.

“You cannot attack hospitals,” said Duncan Hollis, a Temple University professor and a former treaty lawyer for the U.S. State Department. Although what happened at Podkopaieva’s clinic fell short of the death and destruction that would constitute an unambiguous “attack,” Hollis said the disruption was still a step in a dangerous direction.

“It’s getting close to, if not across the line of, actual harm that international law might be prohibiting,” he said.

Podkopaieva’s pediatric clinic, part of Ukraine’s Dobrobut health group, was one of thousands of victims of the data-scrambling software dubbed “Nyetya” that erupted June 27. Unlike WannaCry, a similarly quick-spreading digital worm that also disrupted hospital work earlier this year, Nyetya’s masters appear to have had the ability to draw data from their targets — meaning they either knew or could have discovered who would be at the receiving end of their attack.

Podkopaieva said the disruption to Dobrobut was considerable.

“For a moment, we were blind and deaf,” she told The Associated Press in an interview at her clinic a week after the…