Canada's largest children's hospital struggles to recover from pre-Christmas ransomware attack

UPDATE: The LockBit ransomware group posted an apology to Hospital for Sick Children on Saturday morning, offering the hospital a decryptor for free.

Hospital for Sick Children told The Record that it is working with experts to "validate and assess the use of the decryptor."

"As of January 1, SickKids has already restored over 60 percent of priority systems; restoration efforts are ongoing and progressing well," a spokesperson said. "There is no evidence to date that personal information or personal health information has been impacted. SickKids has not made a ransomware payment."

In a message posted to their leak site on Saturday, the ransomware gang said it "formally apologizes for the attack on Sick Kids."

"The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," the group said.

LockBit, like a number of ransomware groups, has tenuous rules for its hackers and affiliates warning them not to attack certain institutions, like hospitals. These rules have done little to stop the group from frequently targeting hospitals.

Three weeks ago the group was accused of attacking Hospital Centre of Versailles in France and in August, LockBit proudly took credit for a crippling attack on Center Hospital Sud Francilien in Corbeil-Essonnes. The attack knocked out the hospital’s “business software, storage systems (in particular medical imaging) and the information system relating to patient admissions.”

This is not the first time a ransomware group has offered a decryptor to a hospital after an attack. Both the Conti and DoppelPaymer ransomware gangs offered free decryptors following massive attacks on Ireland's healthcare system and Helios University Hospital, respectively.

PREVIOUSLY: Toronto’s Hospital for Sick Children, Canada's largest pediatric health center, is still recovering from a ransomware attack that began on December 18. 

The hospital, which is attached to the University of Toronto, initially said the attack affected several network systems but did not discontinue patient care. 

Despite that, the healthcare organization declared the incident a “code grey” – which they said represented a “system failure.”

Officials later confirmed that it was a ransomware attack but said there was “no evidence” that the personal information of patients had been compromised. 

“At this time, the incident appears to have only impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages. Downtime procedures have been activated where needed,” the hospital said. 

Government agencies were notified and third party experts were hired to handle the response. Some of the hospital’s web pages were down and phone systems were having issues handling calls. 

The organization did not respond to requests for comment but has been providing updates on its website and Twitter feed since the attack was first announced.

On December 23, the hospital confirmed that it would take weeks before all of their systems were functioning normally. Clinical and operational teams are implementing backup procedures for systems that are not yet accessible, the hospital explained. 

The attack affected doctors' ability to access lab and imaging results, causing extended wait times for patients. The processes around sending prescriptions were also impacted. 

SickKids restoration efforts continue from cybersecurity incident: https://t.co/g6ALhMuKTe pic.twitter.com/FNXAdx6sGu

— SickKids_TheHospital (@SickKidsNews) December 23, 2022

“The Code Grey is affecting our internal timekeeping system. The SickKids Human Resources team has activated its emergency recovery plan to help ensure payments to staff remain on schedule. For staff who may be impacted by any delays, we are committed to ensuring they ultimately receive the correct pay,” officials said on Thursday. 

On Friday, the hospital was able to restore phone lines and the internal timekeeping system for staff payroll. Patients are still dealing with diagnostic and treatment delays due to the system outages. 

No ransomware group has taken credit for the attack as of Tuesday morning.

Hospital for Sick Children is the latest children's hospital attacked in recent years. FBI Director Christopher Wray said in June that Iranian government-backed hackers had targeted Boston Children’s Hospital, which he called “one of the most despicable cyberattacks I’ve ever seen.”

Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a hospital complex in France, a Texas hospital, a California nonprofit and the United Kingdom’s National Health Service.