Chicago's Lurie Children's Hospital confirms cyberattack, gives no timeframe for fix
CHICAGO (CBS) – Chicago's Lurie Children's Hospital confirmed for the first time on Thursday it experienced a cyberattack from an outside threat, which led the hospital to take its phone, email, and other systems offline on Jan. 31 and caused disruptions to its regular operations since then.
In a statement, hospital officials said their network was accessed by a "known criminal threat actor," although they did not specify who the actor was. They said they had evidence of "suspicious activity" and decided on Jan. 31 to take the systems offline.
The officials also did not give any timeframe for when they would be able to restore the hospital's systems.
"We take this matter very seriously and have been working closely, around the clock, with outside and internal experts and in collaboration with law enforcement, including the FBI," said Dr. Marcelo Malakooti, Lurie's chief medical officer, during a press conference on Thursday. "This is an active and ongoing investigation. As an academic medical center, our systems are highly complex, and these incidents can take time to resolve."
The hospital said care has gone uninterrupted since it became the victim of a criminal cyberattack.
"We recognize the frustration and concern this creates for all of those impacted," said Malakooti. "Our systems are highly complex, and these incidents can take time to resolve."
Also on Thursday, Lurie officials discussed the latest on the situation with hospital employees during a town hall meeting. According to notes taken by one employee and provided to CBS 2, officials estimate that some of the problems related to the outage might take weeks to resolve, but their phone system could be back later on Thursday. Still, hospital officials said they are prepared for such attacks and expressed confidence in their ability to financially handle the situation, per the employee's notes.
In an automated voicemail sent to hospital employees obtained by CBS 2, workers were asked to "remain vigilant against identify theft and fraud in their personal matter." A hospital spokesperson wouldn't confirm if any staff members' personal information were affected by the cyberattack.
The network outage at the hospital in Streeterville and three other locations in Chicago, Glenview, and Skokie made it difficult for staffers to access medical records, order prescriptions, schedule procedures, and check test results for more than a week since the outage began.
Parents of patients at the hospital were none too pleased with the situation Thursday – particularly upon learning that malice was involved.
"For the people responsible, there's a place in hell reserved for you," said Debora Land.
"I really don't have confidence that the leadership at Lurie," Land said, adding, "I think that it's good that they're finally starting to talk about what happened, but I think they have not gone far enough yet."
While the hospital did not confirm it experienced a cyberattack until Thursday, the FBI said on Wednesday it was investigating a "cybersecurity incident" that led to the network outage at Lurie.
It could take weeks, or even months, for all systems to be back up and running – depending on how complex the attack turns out to be.
"One of the reasons why they target health care institutions is because of that life or death," said cybersecurity expert Rob Lee with the SANS Institute.
Lee said it often takes institutions longer than it should to return operators to normal – as they decide whether or not to pay.
"You have law enforcement on one side that really doesn't want organizations to pay the ransom," he said. "On the other side, it is organizational survival and being able to move forward."
Also on Thursday, the U.S. State Department announced a reward of up to $10 million for anyone that could help them identify the people involved in Hive Ransomware, an organized crime group accused of conducting the attacks against mainly public institutions by demanding ransom for release of hijacked data. It was not clear if Lurie was impacted by that type of ransomware attack.
"Their fingerprints are over on multiple attacks that are out there," said Lee.
According to available data, 46 hospital systems last year were targeted by ransomware. But that number may be much higher – since there are no mandatory reporting requirements yet.
Lurie set up a call center for patients with requests or questions about appointments, prescription refills, and other concerns at 1-800-KIDS-DOC (1-800-543-7362). The call center is available Monday through Friday, 8 a.m. to 8 p.m.; Saturday from 8 a.m. to 5 p.m.; and Sunday from 8 a.m. to noon. When the call center is closed, patients can contact the main operator at 312-227-4000.