Electronic Healthcare Records , Fraud Management & Cybercrime , Governance & Risk Management

Rhysida Offers to Sell Children's Hospital Data for $3.4M

One Month Later, Lurie Children's Hospital Still Recovering From Ransomware Attack
Rhysida Offers to Sell Children's Hospital Data for $3.4M
Electronic health records and other IT systems are still offline at Lurie Children's Hospital in Chicago following a cyberattack in late January. (Image: Lurie Children's)

Ransomware group Rhysida is offering to sell "exclusive data" stolen from a Chicago pediatric hospital for $3.4 million on the dark web, while the hospital struggles to recover its IT systems, including its electronic health records and patient portal, one month after the attack.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

Ann & Robert H. Lurie Children's Hospital of Chicago, which cares for more than 220,000 patients a year, said in a statement Thursday that it is aware of Rhysida's dark web claims, but it declined to share details about the incident (see: Systems, Phones Still Offline at Chicago Children's Hospital).

"Our investigation remains ongoing and active. In addition, we continue to work closely with law enforcement and leading security experts," says the statement provided to Information Security Media Group.

Rhysida on its dark website on Wednesday said the data from the 312-bed pediatric research hospital will be available for purchase in less than a week for 60 bitcoin - or about $3.4 million.

As of Thursday, dark web monitoring website Darkfeed counted 79 Rhysida victims. The ransomware-as-a-service group, which first appeared in the spring of 2023, was the subject of an alert by the Department of Health and Human Services to the healthcare sector last August amid several attacks on hospitals and healthcare systems (see: Authorities Warn Health Sector of Attacks by Rhysida Group).

Ransomware-as-a-service group Rhysida is offering Lurie Children's data on the dark web for $3.4 million.

California-based Prospect Medical Holdings and Mississippi-based Singing River Health System were among Rhysida victims last year.

"This is a terrorist group. Rhysida provided the tools, but we don’t have authoritative information on who actually launched the attack" on Lurie Children's, said Mike Hamilton, founder and CISO of security firm Critical Insight. "Stolen data will show up on the Rhysida leak site, but there could be another group involved that simply uses the Rhysida criminal infrastructure," he said.

While Rhysida is not considered one of the most "prolific" ransomware groups, the gang is an established RaaS group, said Jason Baker, senior threat intelligence consultant at GuidePoint Security.

"Of the attacks we observed across all industries in 2023, Rhysida was responsible for 74 out of 4,519, or roughly 2%. While this figure may sound small, it still places the group within the top 25% of the 63 distinct ransomware groups we monitored in 2023, in terms of victim volume," he said.

"When looking strictly at victims in healthcare, Rhysida accounted for 4 of the 292 attacks we observed, or 4% of all observed healthcare ransomware attack," he said.

The most impactful ransomware groups targeting healthcare are LockBit and BlackCat/Alphv, which account for 16% and 13% of observed attacks, respectively, Baker said. "This is in line with their standing as the most prolific ransomware groups overall, and their impacts are hard to gauge at the individual level. Both have threatened to publish sensitive medical records and patient information as part of their extortion efforts."

The Lurie Children's incident, on top of recent attacks on healthcare by other ransomware groups, shows that cybercriminals are persistently targeting healthcare organizations (see: BlackCat Pounces on Health Sector After Federal Takedown).

"The threat seems to be increasing, and these events cannot be easily separated from the geopolitical situation we find the world in right now," Hamilton said. "These RaaS and affiliate models allow for any group to 'hide' behind what appears to be criminal but is destabilizing enough to raise questions about nation-state involvement, support, collusion or cooperation."

On Thursday, Optum issued a statement confirming BlackCat's claims on Wednesday that the cybercriminal group had hacked the company's IT products and services unit, Change Healthcare.

Meanwhile, the disruption caused by the attack on Lurie Children's IT operations continues. The hospital, in its last public update about the incident posted on Feb. 22, said its electronic health record systems and MyChart patient portal are still being affected by the incident.

"Also, due to our systems being offline, we are using manual processes that will result in longer wait times between the request and completion of prescription requests," Lurie Children's said.

Downtime Planning

Hospitals must prepare to deal with downtime, Hamilton said. "This is about resilience and not defense. This is not a fair fight with well-funded and well-resourced criminal organizations attacking hospitals," he said.

"Unfortunately, hospitals will continue to lose. This is the time to update incident response plans and practice them regularly to minimize the impact of an attack, including communication and mutual aid planning," he said.

"The preparation that you put into your resilience controls will pay off when the inevitable cyber event occurs. Take steps now to minimize the impact of a foreseeable event."

Hamilton said that the U.S. federal government should do a better job of helping the healthcare sector "with real dollars" to boost cybersecurity.

"Many hospitals are not wildly profitable. There's a misconception that they have the same kind of money to spend as a bank. They don't," he said. And hospitals have more complex attack surfaces and less money to defend them, he added.

"A grant program akin to the state and local cybersecurity grant program is needed," Hamilton said, "with the expectation that the cybersecurity performance goals just released by HHS will be consistently met across the sector" (see: HHS Details New Cybersecurity Performance Goals for Health Sector).


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.