Lurie Children's Hospital investigating claims that stolen data was sold online

Lurie Children’s Hospital says it is investigating claims that information reportedly stolen during a recent cyberattack against the hospital was sold online, NBC 5 Investigates has learned.

On Friday, the ransomware-for-hire group Rhysida claimed it had sold data obtained from Lurie Children's Hospital, according to post obtained by NBC 5 Investigates.

“All data was sold,” the post read, which was authenticated by the cyber security firm Check Point Software.

In a statement provided to NBC 5 Investigates this week, a hospital spokeswoman said: “We are aware that individuals claiming to be Rhysida, a known threat actor, claim to have sold data they allege was taken from Lurie Children’s. We continue to work closely with internal and external experts as well as law enforcement and are actively investigating the claims. The investigation is ongoing, and we will share updates as appropriate.”

NBC 5 Investigates found the recent cyberattack involving Lurie Children’s Hospital is one in a growing number of attacks involving healthcare organizations across the country.

A recent separate attack on Change Healthcare – a subsidiary of UnitedHealth Group – led to disruptions for patients, physicians’ offices and pharmacies across the country.

NBC 5 Investigates’ review of federal records from the U.S. Department of Health and Human Services found since 2020, at least 125 healthcare organizations in Illinois alone have reported some type of breach.

Those include hacks, thefts and unauthorized access to records, which potentially compromised the information of seven million individuals. That number does not include the most recent cyberattack at Lurie Children’s Hospital.

That attack, which the hospital says it learned of on Jan. 31, severely disrupted the hospital’s normal operations and put a temporary halt on scheduling procedures, sharing information electronically and even communicating over the phone.

The cyberattack left parents and their children upset and concerned about the delays or hurdles in accessing care.

Just last week, Lurie Children’s Hospital announced that it “continues to make progress in restoring our systems,” announcing that it was able to restore its health record platform and other key systems, but that MyChart – the online app that lets patients and their families access their records and appointments - remained unavailable.

“As an academic medical center, our systems are highly complex and, as a result, the restoration process takes time. Working closely with our internal and external experts, we are following a careful process as we work towards full restoration of our systems, which includes verifying and testing each system before we bring them back online,” the hospital said in a March 4 statement. “We recognize the concern and inconvenience this system outage may cause our patient-families and community providers, and are working diligently to resolve this matter as quickly and effectively as possible…”

As far back as August, The U.S. Department of Health and Human Services warned that the Rhysida group’s primary methods involved phishing attacks and that the group could begin “to look at the healthcare sector as a viable target.”

Another warning from the feds followed in November – this time from the Cybersecurity & Infrastructure Security Agency – showing how Rhysida infiltrates computer systems. The bulletin called on education, healthcare organizations and others to implement a series of strategies to mitigate any potential attack.

The advisory urged organizations to “(test) your existing security controls inventory to assess how they perform against… techniques described in this advisory.”

A Lurie spokeswoman did not respond to NBC 5 Investigates’ questions about the two previous government warnings and what mitigations efforts the hospital took prior to this most recent attack.

Cindi Carter, who is the Chief Information Security Officer at Check Point Software, said the impact of this recent attack on Lurie Children’s hospital is significant.

“We're talking almost 240,000 patients at that hospital and those kids receive cancer and what illness treatments right. So this is critical.”

Chris Carlis, a Chicago-area cybersecurity consultant, says he has often played the role of “attacker,” helping companies test their systems to look for vulnerabilities.

“It is certainly an ongoing problem there. It is disturbing the number of ransomware attacks that take place all the time. That really don't capture the attention like this hospital attack has,” said Carlis, a cybersecurity consultant.

While the specific details of this specific ransomware attack involving Lurie Children’s Hospital are not yet known, Carlis says:

“It is oftentimes a numbers game. They're not sending one or two emails. They'll send a lot of emails to a lot of different organizations. They may all be slightly different and have various payloads but they're ultimately looking for the one fish that'll bite and provide them access to that network,” he said.