The Hospital for Sick Children (SickKids), Toronto's leading paediatric teaching hospital serving one of Canada's most vulnerable populations, experienced a devastating ransomware attack in December 2022. The LockBit gang, responsible for encrypting critical healthcare systems, forced the hospital to divert emergency cases and postpone non-urgent surgeries during the crucial holiday period. What made this attack particularly notable was an unusual and controversial move by the threat actors, who ultimately provided a free decryption key without ransom payment, citing humanitarian concerns.
What Happened
On December 6, 2022, SickKids' IT security team discovered that their systems had been compromised by LockBit ransomware. The initial intrusion likely occurred weeks earlier through phishing emails or exploitation of an unpatched vulnerability, allowing attackers to move laterally across the hospital's network and establish persistence. Once positioned throughout critical infrastructure, the LockBit gang deployed their ransomware payload across hundreds of systems simultaneously, encrypting electronic medical records, pharmacy systems, laboratory information systems, and administrative infrastructure.
The attack forced the hospital to take critical systems offline, preventing access to patient records and forcing staff to revert to paper-based systems for patient documentation. This technological regression during a modern healthcare setting created significant operational challenges and patient safety concerns.
Impact on Patient Care
The impact on SickKids' operations was immediate and severe. The hospital's emergency department was forced to divert non-critical patients to nearby hospitals, as staff struggled to access necessary medical information and treatment histories. Non-urgent surgeries were postponed, affecting hundreds of scheduled procedures during the December period. Outpatient appointments and diagnostic services experienced significant delays as imaging systems, laboratory processing, and appointment scheduling systems remained offline.
The disruption occurred at the worst possible time—during the holiday season when emergency departments typically experience increased patient volumes. Cancer treatment patients, who were receiving chemotherapy, faced difficult decisions about treatment postponements. Families with chronically ill children experienced additional stress and uncertainty about their children's ongoing care.
The Ransom Demand and Unusual Outcome
True to form, the LockBit gang posted evidence of their theft to the dark web and demanded a substantial ransom in exchange for a decryption key. However, in a development that cybersecurity experts found puzzling and potentially suspect, LockBit claimed they were providing a free decryption tool and exiting the situation after public outcry regarding the attack on a children's hospital. Some security researchers speculated that the group faced significant pressure from law enforcement or encountered technical issues with their ransomware deployment that necessitated providing the key.
This unusual outcome—where a major ransomware gang voluntarily ceased extortion of a healthcare facility—raised questions about the authenticity of their humanitarian claims, though the free decryption tool did enable SickKids to begin recovery operations without financial payment.
Data Compromised
Beyond the encryption attack, LockBit also exfiltrated sensitive information, including:
- Patient medical records and healthcare information
- Employee personal information and credentials
- Vendor and supplier contact information
- Research and proprietary clinical trial data
- Administrative and financial records
The exposure of paediatric patient medical records posed particular risks, as this information could be used for fraud or exploitation of minors. SickKids implemented a comprehensive notification campaign and offered credit monitoring services to affected patients and families.
Recovery and Response
SickKids' recovery from the attack took several months. The hospital deployed a phased restoration approach, prioritizing critical systems including emergency department functionality, intensive care units, and surgical suites. IT teams worked around the clock to rebuild systems from clean backups, verify integrity, and implement enhanced security controls before reconnecting systems to the network. By December 20, 2022, most critical systems had been restored, though full operational normalcy took weeks to achieve.
The hospital's response included several significant security enhancements:
- Implementation of advanced endpoint protection and detection response (EDR) technology
- Deployment of network segmentation to isolate critical clinical systems
- Enhanced monitoring for suspicious network activity and data exfiltration attempts
- Mandatory multi-factor authentication across all systems
- Increased investment in backup and disaster recovery infrastructure
- Expansion of security awareness training for all staff members
Broader Healthcare Implications
The SickKids attack highlighted the vulnerability of Canada's healthcare sector to sophisticated cyberattacks. Hospitals are particularly attractive targets for ransomware gangs because their critical nature means organizations often prioritize rapid recovery over law enforcement involvement. The attack prompted Canadian health authorities and hospital administrators to increase cybersecurity investments and establish stronger coordination mechanisms with provincial health ministries and law enforcement agencies.
The incident also raised awareness about the cascading effects of healthcare breaches—not just the direct impact on the targeted organization, but the broader consequences for the healthcare system when a major teaching hospital must divert patients and postpone critical care.