Lurie Children's Hospital of Chicago: Ransomware Attack Timeline
Date: 25 April 2024
A ransomware attack in the healthcare space is always an ominous reminder of how cyber crime can directly impact human life. In case of the recent cyber attack on Lurie Children's Hospital of Chicago, not only was sensitive personal data stolen and allegedly sold online. The cybersecurity incident also impacted the speed at which emergency care services could be provided to children. We've captured everything that went down in this chilling illustration of how cyber crime can be debilitating to human life itself in our Lurie Children's Hospital Ransomware Attack Timeline.
Topics covered in the Lurie Children's Hospital Ransomware Attack Timeline:
1. The Incident
2. The Impact on the Hospital & Patients
3. Actions Taken by Lurie Children's Hospital
At Cyber Management Alliance, we regularly create educational Cyber Attack Timelines. The purpose is simply to present cyber attacks in a chronological and easy-to-understand format. We break down everything that took place during the cybersecurity incident into bite-sized points that help you make sense of how cyber crime usually unfolds.
The primary objective behind this exercise is to raise cybersecurity awareness. It is also to offer a retrospective view of recent attacks so you can learn from them and improve your own cyber defences. These reader-friendly attack timelines will show you the tactics and techniques of the cyber criminal. It will also simplify the process of understanding the impact a particular attack had and how the victim responded.
In many cases, you can take a cue from others' cyber incident response plans and processes. In other instances, you may identify some gaps which you can then proceed to plug in your own cyber incident response strategy. Cyber attacks from your specific industry can be really useful as inspiration to create Cyber Security Tabletop Exercise Scenarios for your organisation.
A Cyber Attack Tabletop Exercise is a vital tool in your overall cybersecurity incident response arsenal. It puts your team in a simulated attack situation and evokes the kind of responses they would exhibit during a real cyber event. It helps them build muscle memory and rehearse cybersecurity decision-making. Having a highly relevant, specifically-created scenario is key to a successful cyber drill and that's where studying the attack timelines can really benefit.
The Incident - Lurie Children's Hospital of Chicago
- February 01, 2024: Bleeping Computer reported that Lurie Children's Hospital in Chicago was forced to take IT systems offline after a cyber attack, disrupting normal operations and delaying medical care in some instances.
- February 01, 2024: A Local media source ABC7Chicago reported that scheduled procedures were delayed due to the cyber attack, ultrasound and CT scan results are unavailable, and prescriptions are given in paper form. The hospital had to revert to following a first-come, first-served approach, prioritising emergency situations.
- February 15, 2024: Fierce Healthcare mentioned in its report that Lurie Children's said it took down its email, phone and MyChart systems offline on January 31 as a security measure after a criminal actor gained access to its network. It has gradually been bringing those capabilities back online in the weeks since—email and most phone lines came back in mid-February, though clinicians didn't regain access to electronic health records until earlier this month.
- February 27, 2024: The Recorded Future News said in its report the Rhysida ransomware-as-a-service group that disrupted 16 hospitals across the U.S. — listed Lurie on its darknet extortion site and this ransomware group attempted to sell data stolen from the institution for 60 bitcoins, equivalent to just over $3.4 million.
- March 12, 2024: According to NBC 5 Investigates, Lurie Children’s Hospital said it investigated claims that information reportedly stolen during a recent cyber attack against the hospital was sold online. On March 08, 2024, according to a post obtained by NBC 5 Investigates, the ransomware-for-hire group Rhysida claimed it had sold data obtained from Lurie Children's Hospital. The post, which was authenticated by the cyber security firm Check Point Software, said: “All data was sold”.
- March 12, 2024: In a statement provided to NBC 5 Investigates, a hospital spokeswoman said: “We are aware that individuals claiming to be Rhysida, a known threat actor, claim to have sold data they allege was taken from Lurie Children’s. We continue to work closely with internal and external experts as well as law enforcement and are actively investigating the claims. The investigation is ongoing, and we will share updates as appropriate.”
The Impact on the Hospital & Patients
- February 01, 2024: According to Bleeping Computer, the hospital announced on its website and social media platforms that it is actively responding to a cybersecurity incident, which unfortunately resulted in network systems being taken offline to prevent the attack's spread.
- February 01, 2024: As per Bleeping Computer’s report, the healthcare provider stated that the incident impacted the hospital's internet, email, phone services, and ability to access the MyChat platform. Those suffering from a healthcare emergency were advised to dial 911 or visit their nearest emergency department.
- February 01, 2024: According to ABC7Chicago, the ongoing issue forced some elective surgeries and procedures to be cancelled. Iriel Thomas, parent of a 10-year-old patient who was admitted to the hospital on January 27, 2024, said the outage caused their son’s treatment procedure to be delayed. Thomas was apparently told the outage had no impact on emergency services as the hospital continued to alert families about the outage and ask for their patience through messages on its website and social media.
- February 01, 2024: As per ABC7Chicago’s report, Iriel Thomas said: "Everyone thought it was going to come back quickly and no, so it made everybody go back to paper charts, writing everything down, because computers are down at this point. It's just first come, first served on what is important right now".
- February 01, 2024: As per ABC7Chicago covered one more patient’s statement as their daughter had to go through a treatment. Kelly Beeman and her wife were unaware of the outage when they arrived at Lurie for an appointment for their 18-month-old daughter. She said they were hoping to review ultrasound results with their doctor but couldn't. However, they were able to get a prescription the old school way.
-
February 01, 2024: Kelly Beeman said: "You can hear everybody talking about it, there are doctors huddled in the corner, this is what we are going to do, it seems like they are handling the situation. I haven't done it in this way in a long time on paper, but we got what we needed".
Actions taken by Lurie Children's Hospital & Govt Agencies
- February 01, 2024: Lurie Children's Hospital disclosed on its website: "Lurie Children's is actively responding to a cybersecurity matter. We are taking this very seriously, are investigating with the support of leading experts, and are working in collaboration with law enforcement agencies. As part of our response to this matter, we have taken network systems offline".
- February 01, 2024: According to ABC7Chicago’s report, Lurie Children's Hospital said: "We are currently working to establish a call centre to address our patient families' and community providers' needs. We will post updates on luriechildrens.org". It added: “We recognise the concern and inconvenience the system's outage may cause our patient families and community providers, and are working diligently to resolve this matter as quickly and effectively as possible".
- February 07, 2024: Chicago CBS said in its report that the FBI confirmed that it investigated a "cybersecurity incident" that caused a weeklong network outage at Lurie Children's Hospital. The FBI said in a statement: "FBI Chicago is aware of the recent cybersecurity incident affecting Lurie Children's Hospital and is utilising all available investigative tools and resources to provide assistance. As always, our attention remains on ensuring the safety of our citizens and our nation's critical infrastructure. There is no additional information available for release at this time".
- February 15, 2024: According to FierceHealthcare, Lurie Children's Hospital of Chicago said that it has restored email systems and a majority of its phone lines after both were taken offline when the provider identified unauthorised access to its network. Lurie Children's wrote in an update: “Still, Lurie Children's Epic MyChart system "remains offline for the time being" and patients, families and community providers are being encouraged to phone the call centre it launched to help coordinate calls. Our network system's restoration is ongoing and progressing."
- March 05, 2024: According to Healthcare Dive, Lurie Children’s Hospital restored its Epic electronic health record more than a month after the cyber attack which forced the Chicago-based provider to take down its network systems.
- March 18, 2024: The Lurie Children's Hospital gave a statement on its progress to restore the impacted systems as it said:
- “Lurie Children’s continues to respond to the cybersecurity matter. We continue to make progress in restoring our systems, and recently reactivated our electronic health record platform (Epic) and other key systems”,
- “We have begun the process of reactivating MyChart for patient-families. Currently, key MyChart functions that are coming online to support our patient-families include, online scheduling, e-check in, provider messaging, medication refill requests and—in the coming days– bill pay”,
- “Telemedicine appointments are once again available via MyChart. Please refer to your email and/or text message, and log into your Lurie Children’s MyChart for information about your upcoming telemedicine appointments”.