The hackers behind the ransomware attack last month that left Lurie Children’s Hospital offline for weeks have said they have sold off all the data they stole from the pediatric facility on the dark web for $3.4 million.

The Rhysida ransomware group claimed responsibility for the January 31 attack, which forced staff to take down their email, phone, EMR, and patient family portal MyChart systems and rely on manual methods. This led to long wait times and cancellations and made it hard for patients and hospital workers to access medical records and prescription history, and to schedule appointments. Doctors were also unable to use its billing system.

In late February, Rhysida said it had stolen 600 gigabytes of data from the hospital and listed it for sale on its darknet exploitation site for 60 bitcoins, equivalent to $3.4 million. Last week, it updated the listing to say, “All data was sold,” according to Recorded Future News.

"We are aware that individuals claiming to be Rhysida, a known threat actor, claim to have sold data they allege was taken from Lurie Children’s. We continue to work closely with internal and external experts as well as law enforcement, and are actively investigating the claims. The investigation is ongoing, and we will share updates as appropriate,” a spokesperson for Lurie Children's told Recorded Future.

The hospital is one of the largest pediatric healthcare organizations in the Midwest, providing care to about 239,000 children annually and treating more for cancer and blood disorders than any other Illinois-based hospital. It recently announced that it was on track to restoring its EHR, phone, and other systems.

While the specifics on what data was stolen remained undisclosed, the FBI launched an investigation into the attack last month. It is also investigating a similar incident at Change Healthcare, a revenue management technology subsidiary under UnitedHealth Group, the largest health insurance company by revenue.

The BlackCat ransomware group took responsibility for that hit, which occurred on February 21, and the effects of which are still being felt weeks after with providers unable to submit claims and process reimbursements to pay expenses and employees. Pharmacists in all 50 states said they were having trouble confirming insurance coverage and copayments to fill prescriptions.

Change recently announced that it expects its electronic payments and medical claims systems to be fully functioning again on March 15 and March 18, respectively, and that other systems for healthcare revenue and payment cycle management should be completely restored within weeks, reported SC Magazine.

According to a partner of BlackCat who helped carry out the attack, Change recently paid $22 million (350 bitcoin) as ransom to retrieve protected information. He says that the ransomware group, which has shut down its site, still has the sensitive information along with data on healthcare partners that it obtained when it breached Change’s network, including Medicare and a host of other major insurance and pharmacy networks. Change has not confirmed or denied the claim.

Health IT Homepage