Cyber Incident Victim: Saint Anthony Hospital
Date:
Dec 2023
Location:
United States of America
Summary
A Chicago hospital experienced a ransomware attack claimed by the LockBit gang, involving unauthorized copying of patient information files from its network. The organization secured its systems promptly to maintain uninterrupted care and initiated an investigation with cybersecurity experts, determining no compromise to its electronic medical records or financial systems. LockBit demanded a $900,000 ransom, which the institution refused, emphasizing resource allocation toward community care over rewarding criminal activity. Impacted individuals will receive notification letters with credit monitoring services once the ongoing review identifies affected data. The incident was reported to the FBI and health regulators, while the threat actors continued targeting healthcare entities despite past claims of avoiding such attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 18, 2023, Saint Anthony Hospital in Chicago detected suspicious activity within its computer network, prompting immediate action to secure systems and investigate the incident without disrupting patient care. The hospital engaged cybersecurity specialists to determine the nature and scope of the breach, revealing on January 7, 2024, that an unknown actor had copied files containing patient information during the December 18 intrusion. While the Electronic Medical Record (EMR) database and financial systems were not compromised as a whole, the hospital initiated a comprehensive review of the copied files to identify affected individuals and specific data types. The LockBit ransomware gang claimed responsibility for the attack on January 30, 2024, listing the hospital on its leak site with a two-day ultimatum to pay a $900,000 ransom. Hospital leadership explicitly refused payment, stating resources would prioritize community care rather than rewarding criminal actors. This marked LockBit’s second publicly claimed hospital attack in January 2024, despite the group’s historical claims of avoiding healthcare targets, as evidenced by prior incidents including a 2022 attack on Toronto’s Hospital for Sick Children.
The breach investigation remained ongoing as of January 29, 2024, with Saint Anthony unable to confirm the exact number of impacted patients or specific data categories involved beyond the copied files. The hospital committed to mailing notification letters with free credit monitoring and identity protection services upon completing its file review. Regulatory notifications were made to the FBI, U.S. Department of Health and Human Services, and other authorities, aligning with disclosure protocols for incidents potentially affecting the 340,000+ patients served in 2021–2022. Internal response measures included securing the network, maintaining uninterrupted clinical operations, and evaluating policies for enhanced data protection. Patients were advised to monitor accounts for suspicious activity, review explanations of benefits, and consider fraud alerts or credit freezes through major credit bureaus while awaiting individualized notifications.