Lurie Children's Hospital (photo courtesy of Lurie's Children)

FBI probes cyberattack that has left Lurie Children's Hospital offline for over a week

February 13, 2024
by John R. Fischer, Senior Reporter
The FBI is investigating a cyberattack on Lurie Children’s Hospital that, over a week later, still has the Chicago provider’s systems offline and elective surgeries and procedures canceled until further notice.

While the hospital has not revealed the type or nature of the attack, which occurred on January 31, it did confirm that a “known criminal threat actor” breached its network. To protect patient and workforce information, it has taken its email, phone, EMR, and patient family portal MyChart systems offline.

This has made it difficult for patients and hospital workers to access medical records and prescription history and schedule appointments. Many patients, while still encouraged to show up for scheduled appointments, have been unable to reach the hospital through its main phone lines and are waiting for calls to inform them when it is safe for their children to be readmitted for care, according to CBS News.

“This is an active and ongoing investigation. As an academic medical center, our systems are highly complex, and these incidents can take time to resolve,” said Lurie Children's in a statement.

While the hospital says all its locations remain open and that it is admitting most patients, including emergency ones, some pediatricians are sending their patients to other hospitals for urgent medical care needs, but the inability to access their online medical records or lab results makes it harder for doctors at these alternative sites to effectively treat them, reported the Chicago Sun-Times. Also, doctors and medical groups affiliated with Lurie have said that they are unable to use its billing system.

In a statement of its own, the FBI said that it is using “all available investigative tools and resources” in its investigation and is focused on ensuring “the safety of our citizens and our nation's critical infrastructure.”

To keep communication open for patients, the hospital has set up a call center that they can contact with requests or questions about appointments, prescription refills, and other concerns. The number is 1-800-KIDS-DOC (1-800-543-7362), and the call center is open Monday through Friday, from 8 a.m. to 8 p.m.; Saturday, from 8 a.m. to 5 p.m.; and Sunday, from 8 a.m. to 12 p.m. After hours, patients can contact the main operator at 312-227-4000.

In an interview with the Chicago Sun-Times, Dr. Eric Chan-Tin, an associate professor of computer science at Loyola University Chicago, said that it is hard to determine the severity of the situation due to the little information that Lurie Children’s has so far disclosed. But, he says, depending on how severe the situation is, the hospital may need weeks or months to fully recover.

“Hospitals are good targets for hackers because they are critical infrastructure, and they have a lot of private data, which is worth a lot of money,” he said.

Back in 2021, the FBI investigated another cyberattack on Boston’s Children’s Hospital orchestrated by the Iranian government to impede patient access to care. FBI Director Christopher Wray said his organization was able to help the hospital “stop the danger right away,” and that Iran and other countries are hiring cyber mercenaries to carry out attacks on their behalf, with healthcare providers being a prime target.

Attacks are also becoming more sophisticated and effective. Earlier this month, it was revealed that hackers were able to use a series of phishing schemes to defraud the Department of Health and Human Services out of $7.5 million in civilian grant payments throughout most of 2023. They did this by manipulating the Payment Management System used by HHS and other government sectors, including the Executive Office of the President, to withdraw millions of dollars in funds meant for five grantees.