Cyber Incident Victim: Hospital for Sick Children

On December 18, 2022, the Hospital for Sick Children (SickKids) in Toronto experienced a ransomware attack that disrupted multiple network systems. The hospital declared a Code Grey—indicating a system failure—as the incident affected internal and corporate systems, hospital phone lines, and its public website. SickKids publicly confirmed the cybersecurity event via a social media statement on the same day, asserting that patient care remained unaffected at the initial stage. The attack encrypted a limited number of systems but caused operational delays, particularly in receiving laboratory and imaging results, which extended patient wait times. Diagnostic and treatment workflows were impacted, though the hospital did not specify the duration of these disruptions.

By December 29, 2022, SickKids had restored 50% of its priority systems, focusing on those directly linked to diagnostic or treatment delays. The LockBit ransomware gang claimed responsibility for the attack but later issued a public apology and provided a free decryptor to the hospital. LockBit stated that one of its affiliates violated its operational policies, which prohibit encrypting systems at medical institutions where attacks could risk patient fatalities, such as hospitals performing computer-assisted surgical procedures. The gang permits data theft from medical entities but restricts encryption attacks on specific high-risk facilities. LockBit operates under a Ransomware-as-a-Service model, where affiliates conduct attacks and share ransom payments with the operators, who retain approximately 20% of proceeds. This incident followed a precedent set in May 2021, when the Conti ransomware group provided Ireland’s Health Service Executive (HSE) with a free decryptor amid law enforcement pressure.