2 Chicago Hospitals Facing with Cyberattack Woes

Two Chicago hospitals are navigating the effects of recent cyberattacks. One, a children’s hospital, has taken its IT network offline to respond to an incident that happened this week, and the other, a nonprofit safety-net hospital, is being shaken down by cybercriminals asking for a hefty ransom in return for patient data stolen in December.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Ann & Robert H. Lurie Children’s Hospital of Chicago, a leading provider of pediatric care in Illinois, said Thursday that it had taken its systems offline in response to an active cyber incident. The hospital is working with security experts and law enforcement on the investigation.

“We are taking this very seriously. Lurie Children’s is open and providing care to patients with as few disruptions as possible,” the hospital said in its statement. “We are currently working to establish a call center to address our patient-families’ and community providers’ needs.”

Lurie Children’s did not immediately respond to Information Security Media Group’s request for additional details, including whether any particular cybercriminal group has claimed credit for the attack or demanded a ransom.

While one Windy City hospital deals with a ransomware attack, a second hospital that provides vital care services to low-income families on the south and west sides of Chicago is dealing with cybercriminals who are trying to squeeze nearly $900,000 in ransom payments to prevent the release of sensitive patient data.

The notorious ransomware group, LockBit, which has claimed in the past to have “rules” banning affiliates from launching attacks on certain nonprofit hospitals, reportedly took credit this week on the dark web for the data theft from Saint Anthony Hospital in December.

LockBit earlier this week began threatening the Catholic hospital – named after the patron saint of lost things, pregnant women, amputees and the elderly – on the ransomware group’s dark web leak site.

“Always, U.S hospitals put their greedy interests over those of their patients and clients,” LockBit taunted, adding that “St. Anthony has been caring for its neighbors for over a century,” according to a screenshot of the threat posted Tuesday on X, formerly Twitter, by a security researcher.

In December 2022, LockBit 3.0 appeared to change course in a similar attack on a Toronto children’s hospital, SickKids, offering up a free decryptor and an apology on its dark web site about the incident (see: Toronto Hospital Gauges Whether to Use LockBit Decryptor).

“The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” LockBit said in the apology. But so far, that doesn’t appear to be the case in the Saint Anthony Hospital attack.

Some experts doubt that the cybercriminals have any real remorse for their attacks or much control over the actions of their affiliates.

“LockBit and most other operations are indiscriminate in their targeting,” said Brett Callow, a threat analyst at security firm Emsisoft. “Some – including LockBit – claim to prohibit affiliates attacking hospitals, but those so-called rules are routinely ignored.”

LockBit 3.0 has been the subject of alerts from federal authorities in the U.S., including one from the Department of Health and Human Services in December 2022 that warned about the group’s rising attacks on healthcare sector entities since June 2022 (see: LockBit 3.0 Ransomware Threatens Health Sector, Feds Warn).

Saint Anthony Hospital in a notice posted on its website this week acknowledged it was dealing with a recent cybersecurity incident involving attackers “copying” files from its network in December and added that it has been working with the FBI and regulators on the matter.

But the hospital does not appear willing to pay a ransom.

“As a vital safety-net hospital to the people in the communities we serve, we are dedicated to using our resources to care for our community’s most vulnerable and not to rewarding the illegal actions of bad actors,” said Saint Anthony Hospital CIO Jeff Eilers in a statement provided to Information Security Media Group.

“Fortunately, our prompt action and response to this event allowed us to continue providing patient care without disruption,” Eilers said. Saint Anthony Hospital is also reviewing its existing policies and procedures and will implement additional ones as needed, he said.

Saint Anthony Hospital in its public notice this week said it had become aware of suspicious activity within its computer network on Dec. 18 and had taken immediate action to secure its systems to ensure that patient care was not disrupted.

On Jan. 7, the hospital’s investigation determined that files containing patient information had been copied from the network by “an unknown actor.” The hospital is still reviewing the compromised files to identify and notify affected patients.

“Though specific types of information impacted are unknown, there has been no indication that the hospital’s electronic medical record database or financial systems as a whole were compromised,” the hospital said.

LockBit has also taken credit for several other recent attacks, including one in November on New Jersey-based Capital Health (see: Capital Health in NJ Is Responding to a Cyberattack).

Capital Health in an updated notice about the incident posted on its website in early January said its investigation had determined that an unauthorized actor gained access to certain systems between Nov. 11 and Nov. 26.

On Dec. 1, Capital Health’s forensic investigation determined the attackers had acquired certain files on the organization’s network. “At this point, we have found no evidence that personal information or protected health information has been misused,” Capital Health said.

The Capital Health incident as of Friday has not been posted on HHS’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.