Lurie Children’s Hospital Sued Over January 2024 Ransomware Attack
A class action lawsuit has been filed against Ann & Robert H. Lurie Children’s Hospital in Chicago in response to a January 2024 ransomware attack and data breach that exposed the protected health information of 775,860 patients.
The cyberattack was detected on January 31, 2024, and the forensic investigation confirmed that hackers had access to the network from January 26, 2024. The data exposed and potentially stolen included names addresses, telephone numbers, email addresses, dates of birth, dates of service, driver’s license numbers, health claims information, health plan beneficiary numbers, medical conditions/diagnoses, medical record numbers, treatment information prescription information, and Social Security numbers. The Rhysida ransomware group claimed responsibility for the attack and claimed to have sold the stolen data.
The attack took its electronic health record system offline for months and the investigation and document review were not completed until the summer. Individual notifications were sent to the affected individuals on June 17, 2024. Complimentary credit monitoring services were offered to the affected individuals for 24 months.
A lawsuit was filed in the U.S. District Court of the Northern District of Illinois by Nicole Demonte, parent and guardian of A.D., N.D., I.D., and N.S.D. whose data was compromised in the attack. The lawsuit claims Lurie Children’s failed to implement reasonable and appropriate cybersecurity measures and did not comply with industry standards for cybersecurity. Those failures are alleged to have allowed access to be gained to Lurie Children’s network and have left the plaintiffs and class members facing a lifetime risk of identity theft and fraud.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit also takes issue with the time taken to issue HIPAA notification letters and the lack of information in those letters when they were eventually sent. The lack of information has diminished the ability of the plaintiffs and class members to mitigate the harms resulting from the data breach. The lawsuit alleges negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Illinois Personal Information Protection Act, Illinois Consumer Fraud and Deceptive Business Practices Act, and the Illinois Uniform Deceptive Trade Practices Act. The lawsuit seeks class action certification, a jury trial, damages, attorneys’ fees and legal costs, and injunctive relief.
