Children’s hospital cyberattack traced to ‘criminal threat actor’

As Ann & Robert H. Lurie’s Children Hospital continues to grapple with a cyberattack, hospital officials say the incident has been traced to “a known criminal threat actor.”

Lurie Children's Hospital says a "criminal threat actor" is behind the cyberattack reported more than a week ago. (Image: Lurie Children's)

Lurie Children’s disclosed the new information about the attack Thursday. The hospital first announced that it had suffered a cybersecurity incident on Jan. 31.

“We can now confirm that our network was accessed by a known criminal threat actor,” Lurie’s said in a message on its website Thursday.

“We take this matter very seriously and have been working closely, around the clock, with outside and internal experts and in collaboration with law enforcement, including the FBI. This is an active and ongoing investigation. As an academic medical center, our systems are highly complex, and these incidents can take time to resolve.”

• Read more: These are the 11 biggest health data breaches of 2023

The hospital didn’t disclose which areas were accessed or what records could be compromised. It’s common for health systems and hospitals to spend weeks assessing what records may have been accessed and how many individuals could be affected.

Lurie Children’s took critical systems offline last week, including its phone and email systems. The hospital’s electronic medical records system is also offline, along with MyChart, the digital portal patients use to schedule appointments and view test results.

“We did this in an effort to protect the information of our patients, workforce and organization at large,” Lurie said.

The hospital has been continuing to care for patients, including those needing inpatient care, surgical procedures and emergency care. Lurie Children’s has told families to maintain appointments unless they are told otherwise.

“​​Throughout this period, all Lurie Children’s locations have remained open, accepting and caring for patients with as few disruptions as possible,” the hospital said in its message. “The diligence and dedication of the staff is unwavering. It is their care and talent that people seek and that remains unchanged.”

• Read more: Emerging cybersecurity threats in healthcare: Special Report

Still, the disruption has caused problems for parents needing tests or prescriptions, NBC News reports.

While the hospital’s phones are offline, Lurie Children’s has set up a call center so parents can talk about appointments and refill prescriptions (the call center’s number: 1.800.543.7362).

The hospital said it would provide additional updates when they are available.

“We recognize the frustration and concern this situation creates for all those impacted,” the hospital said in a message on its website. “We are so grateful to our Lurie Children’s community for the outpouring of support. We are especially inspired by our workforce and their resilience and commitment to our mission.”

Many hospitals and health systems of all sizes have suffered breaches of their systems in cyberattacks. More than 100 million Americans were affected by breaches of private health information in 2023.

Dan Dodson, CEO of Fortified Health Security, a cybersecurity expert, told Chief Healthcare Executive® in a January interview that ransomware groups and other criminals are “trying to get the most amount of data.”

Hospitals are enticing targets for ransomware groups because they have records on a large number of patients, including everything from health records, such as diagnoses or medications, to financial information. Those records can be sold on the dark web.

“One of the things that is unfortunate is that medical records are extremely valuable,” Dodson says. “There's multiple ways that you could monetize it from a bad actors’ perspective.”

Another Chicago hospital, Saint Anthony Hospital, said last week that it has suffered a recent cybersecurity incident. The hospital said that someone gained access to its network and copied files containing patient information on Dec. 18. Saint Anthony said the hospital is still trying to determine which data was taken and how many people are affected.

Last June, a hospital in the rural community of Spring Valley, Illinois, St. Margaret’s Health, closed for good, and officials cited the damage and costs of a cyberattack, along with other financial difficulties.

The Joint Commission has advised hospitals to develop response plans for cyberattacks. Among its recommendations, the commission advises, “Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer.”