Chicago Children’s Hospital Confirms Cyber Threat Activity

February 13, 2024 - UPDATE 2/13/24 - This article has been updated to reflect new information about the cyberattack on Lurie Children's Hospital. 

Lurie Children's Hospital has entered its third week of downtime following a cyber incident that began on January 31. The latest update provided to patients confirmed that the hospital's network was "accessed by a known criminal threat actor."

"We take this matter very seriously and have been working closely, around the clock, with outside and internal experts and in collaboration with law enforcement, including the FBI," the hospital stated. "This is an active and ongoing investigation. As an academic medical center, our systems are highly complex, and these incidents can take time to resolve."

Lurie Children's Hospital has not yet provided a timeline for when it expects to bring its systems back online.

---

READ MORE: Ransomware Makes ECRI’s Top Health Tech Hazards List

2/6/2024 - Nearly a week after a cyberattack hit Lurie Children’s Hospital in Chicago, email, phone, and electronic systems remain offline. The hospital proactively took its systems offline in the wake of the cyber incident and immediately engaged law enforcement agencies.

As outages persist, Lurie Children’s remains open and is continuing to accept patients, including inpatient care, surgical procedures, ambulatory visits, and emergency care, the hospital said in its latest update. While onsite care is continuing according to the hospital’s contingency plans, its EHR system is offline.

Lurie also intentionally limited its email system so that it is unable to send or receive emails from non-Lurie Children’s email addresses. The hospital has also prevented outbound internet traffic and is unable to receive external phone calls, except for those from its call center. Lurie Children’s has not yet provided an estimated timeline for bringing its systems back online.

“We recognize the frustration of not having clarity on when this will be resolved. Our investigation remains ongoing and we are working around the clock to resolve this matter,” Lurie Children’s stated in a message to patient parents and guardians.

“Please understand this process takes time and know that we have highly experienced, capable, and empathetic teams of both internal and external experts responding to this matter. We also continue to work in collaboration with law enforcement.”

READ MORE: How HHS Cybersecurity Performance Goals Will Impact Healthcare

The hospital set up a call center to address patient concerns on the cybersecurity matter and directed all patients with existing appointments to arrive as scheduled.

Cyberattacks against hospitals have become all too common in recent months and years. Over the Thanksgiving holiday in 2023, threat actors targeted Ardent Health Services, which owns 30 hospitals and 200 sites of care across six states. The incident forced Ardent to take its network offline and divert ambulances.

In August, multi-state healthcare system Prospect Medical Holdings suffered a ransomware attack that led to a systemwide outage.

What’s more, the Lurie Children’s attack is not the first time that threat actors have tried to target a children’s hospital. In June 2022, Federal Bureau of Investigation (FBI) Director Christopher Wray revealed that Iranian government-backed hackers had attempted to execute a cyberattack against Boston Children’s Hospital in June 2021.

The FBI was able to thwart the attack thanks to a report from intelligence partners, enabling them to stop the hackers before they could do damage to the hospital’s network.

READ MORE: PJ&A Data Breach Fallout Continues, 4M Additional Individuals Impacted

“Ransomware gangs love to go after things we can’t do without,” Wray said at the time.

Based on recent threat actor trends, it seems that cyber threat groups are more than willing to target hospitals, even if it means more attention from law enforcement.

In its annual ransomware report, the GuidePoint Research and Intelligence Team (GRIT) observed an increase in emerging ransomware groups targeting healthcare specifically, without fear of repercussions.

For example, Rhysida ransomware emerged in May 2023 as a relatively unknown group. Despite its lack of maturity, Rhysida immediately began using phishing and other tactics to target victims around the world and publish stolen files online. The group was not shy in its targeting of the healthcare, education, and government sectors.

“Healthcare has historically been considered ‘off limits’ for some ransomware programs as this brings negative press coverage and extra attention from law enforcement agencies,” GRIT noted.

However, recent attacks have suggested that threat actors are no longer against targeting these types of organizations.

“Healthcare targets rose in popularity among both Established and Developing groups in 2023. Healthcare victims often hold a large amount of PII data, rendering them a high-value target for more mature ransomware groups capable of exploiting or extorting based on large volumes of data,” the report continued. “While the Healthcare industry was once considered off-limits and less frequent as targets by Established groups, we have witnessed this norm eroding in 2023.”

GRIT predicted that ransomware groups would continue to aggressively target victims in critical infrastructure sectors, with the most prolific groups leading the innovation and technique advancements for the newer, less experienced cyber threat groups.