SickKids says 80 per cent of systems affected by ransomware attack restored

Toronto’s SickKids hospital says it has lifted the “Code Grey” alert issued following a ransomware attack last month that affected several critical hospital systems.

Hospital officials said Thursday that approximately 80 per cent of priority systems – those that have a direct impact on hospital operations – have now been restored.

The hospital says its Information Management Technology (IMT) team is continuing to work with operational leaders across the hospital to restore the remaining systems and that patients and families are unlikely to experience any significant impacts to their care.

“I am very thankful that we have been able to call the Code Grey All Clear relatively quickly with minimal disruptions to patients and families,” SickKids CEO Dr. Ronald Cohn said in a statement. “Without the extremely hard work of our staff and expertise of external advisors over the holidays, we would not have been able to lift the Code Grey as efficiently as we have.”

The hospital has been in a “Code Grey” status after a ransomware attack on Dec. 18, 2022 that delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system.

LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most active and destructive, issued an apology on Dec. 31 and offered to unlock the data targeted in the attack. LockBit claimed to have blocked the “partner” responsible for the attack and offered SickKids a free decryptor to unlock its data.

The investigation into what led up to the incident is ongoing.

SickKids said Thursday it had not used the decryptor to restore systems to date and has not made a ransom payment. The hospital said it continues to consult with its third-party experts to determine the most efficient and effective means to restore its impacted systems, including the possible use of the decryptor. There is no evidence to date that personal information or personal health information has been impacted.

The hospital previously said it took down two websites it operates on Friday after reporting “potential unusual activity,” though it said the activity appeared to be unrelated to the cyberattack.

Top Stories

Top Stories

Most Watched Today