Skip links

Lurie Children’s Hospital back to pen and paper after cyberattack

For the second time in one week, cybercriminals have targeted a Chicago children’s hospital, this time causing significant operational disruption.

Lurie Children’s Hospital said it pulled network systems offline as it continues to respond to “a cybersecurity matter” alongside outside experts and law enforcement agencies.

Email, phone, and internet services are unavailable at the hospital, and according to local news, young patients have been unable to attend scheduled appointments for six days and counting.

The hospital remains open for emergencies but is operating on a first come first served basis, according to other reports

Some patients with scheduled elective surgeries have also had their appointments pushed back or canceled. Others say ultrasound systems were down and prescriptions were being handled using analog, pen-and-paper methods.

Lurie Children’s Hospital said in a statement: “As Illinois’ leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve. Lurie Children’s is open and providing care to patients with as limited disruption as possible.  

“We are very grateful to our workforce and care providers who are committed to preserving our charitable mission during this time. We recognize the concern and inconvenience the systems outage may cause our patient-families and community providers and are working diligently to resolve this matter as quickly and effectively as possible.”

The hospital treats more than 200,000 children a year and is home to the Stanley Manne Children’s Research Institute, which is actively researching a range of pediatric illnesses and injuries.

Attribution for the attack hasn’t been made, nor has any ransomware or other cybercrime group claimed responsibility for it.

The incident closely follows another attack at Saint Anthony Hospital, based just 8km (five miles) from Lurie, with the “credit” swiftly claimed by the LockBit ransomware gang.

The attack on Saint Anthony’s system began in December 2023 and the hospital only recently disclosed the extent of the damage – data theft but little to no operational downtime or disruption.

It appears the hospital didn’t pay the ransom and the stolen data has been published by LockBit, which is entirely unsurprising given the $800,000 ransom the gang set. Even if Saint Anthony Hospital were inclined to pay, which is very much not the officially recommended route to take, given the lofty sum and the fact it’s a non-profit, it’s unlikely the hospital would be able to pay anyway.

The healthcare sector has long been a primary target for cybercriminals for many reasons, from generally poorer security postures to the operational disruption an attack on a hospital or similar facility can cause, and everything in between. 

When critical services like these are floored, the chances of making a speedy payment to restore access to key systems is, in theory, more likely than a corporate company that has more time to think about a response strategy.

However, according to new rules reportedly set for imminent approval, US hospitals will have to meet certain cybersecurity standards to receive federal funding in a move the government will hope stems the tide on ransomware’s targeting of hospitals.

During El Reg’s investigation, we were pointed to a December concept paper from the US Department of Health and Human Services’ (HHS) cybersecurity strategy. The paper included proposals for enforcing new standards that if met, would offer financial support and incentives for hospitals. ®