Ransomware gang claims to have made $3.4 million after attacking children’s hospital

A ransomware gang is claiming to have sold data stolen from a children’s hospital in Chicago after listing it on the dark web for $3.4 million.

The attack last month on Lurie Children’s Hospital forced staff to resort to manual processes as officials took the institution’s entire computer network offline due to what was at the time an unspecified “cybersecurity matter.”

Despite the attack, the hospital pledged to remain “open and providing care to patients with as few disruptions as possible,” although some appointments and elective surgeries were canceled as a result of the incident.

Subsequently, the Rhysida ransomware group listed Lurie Children's on its darknet extortion site, attempting to sell data stolen from the institution for 60 bitcoins, equivalent to just over $3.4 million. The listing was updated this week to claim: “All data was sold.”

It comes as the hospital announced it is making progress restoring its key systems, including its electronic health record platform and its phone system.

“As an academic medical center, our systems are highly complex and, as a result, the restoration process takes time,” the hospital said in a statement on its website last updated Wednesday.

“Working closely with our internal and external experts, we are following a careful process as we work towards full restoration of our systems, which includes verifying and testing each system before we bring them back online.”

The children’s hospital is one of the biggest pediatric healthcare organizations in the Midwest, serving about 239,000 children each year and treating more children with cancer and blood disorders than any other hospital in the state of Illinois.

The disruption caused to the hospital’s prescription systems left parents scrambling to find other doctors who could help their children access vital medicine and healthcare, as reported by NBC News.

A spokesperson for Lurie Children's told Recorded Future News: "We are aware that individuals claiming to be Rhysida, a known threat actor, claim to have sold data they allege was taken from Lurie Children’s. We continue to work closely with internal and external experts as well as law enforcement, and are actively investigating the claims. The investigation is ongoing, and we will share updates as appropriate."

They did not comment on the anticipated effects of the sale on staff, parents or patients.

The attack on Lurie Children’s follows the U.S. Department of Health and Human Services warning about the Rhysida group last August, noting that it appeared to be increasing its attacks targeting the healthcare sector.

An ongoing attack impacting another organization in the sector, Change Healthcare, is currently causing disruptions estimated to cost upwards of $100 million a day.

This article was updated with comment from a Lurie Children's spokesperson at 10:45 a.m. EST.