January 2024 Cyberattack on Lurie Children’s Hospital Affects 792K Individuals
On January 31, 2024, Ann & Robert H. Lurie Children’s Hospital of Chicago fell victim to a cyberattack that forced IT systems offline, including its Epic electronic health record systems and its MyChart patient portal. Staff were forced to work under downtime procedures and record patient information manually while its EHR was offline. It took until May 20, 2024, to restore access, and then the lengthy process of transferring all manually recorded data to the EHR commenced. Lurie Children’s said it has taken a considerable amount of time to investigate the incident and restore its systems due to the sophistication of the attack and the complexity of its IT infrastructure.
The forensic investigation confirmed that an unauthorized, unnamed third party had access to its systems from January 26, 2024, to January 31, 2024. Lurie Children’s confirmed that the hackers were able to access patient data during those 5 days. “Through our ongoing investigation, Lurie Children’s has determined that certain individuals’ personally identifiable and/or protected health information was impacted.”
The breach notification letter sent to the Maine Attorney General states that individual notification letters were mailed to the affected individuals on June 17, 2024, and 24 months of complimentary credit monitoring and identity theft protection services are available. The affected individuals must ensure they enroll in those services by October 5, 2024.
The updated breach notice on Lurie Children’s website provides details of the types of data involved. The exposed data varies from individual to individual and may include names along with one or more of the following: address, telephone number, email address, date of birth, dates of service, driver’s license number, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, and/or Social Security number. The forensic investigation did not uncover any evidence to suggest that its EHR was accessed in the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Lurie Children’s confirmed that a ransom demand was issued but payment was not made as there was no guarantee that the stolen data could be retrieved or would be deleted. “Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data,” explained Lurie Children’s in its website notification. The breach notice to the Maine Attorney General states that 791,784 individuals were affected, and the HHS breach portal shows the incident involved the protected health information of 775,860 individuals.
The ransomware group behind the attack was not named by Lurie Children’s; however, the Rhysida ransomware group claimed responsibility for the attack and said it demanded a $3.4 million ransom payment. The group claimed to have sold the stolen data when payment was not made. It has not been possible to verify the accuracy of the group’s claims. As a precaution, anyone who receives a breach notification letter should take advantage of the credit monitoring services being offered and should remain vigilant against potential misuse of their data. If any suspicious activity is identified, it should be reported to the proper law enforcement authorities.
