On January 31, 2024, the Ann & Robert H. Lurie Children's Hospital of Chicago fell victim to a sophisticated cyberattack that brought down its IT systems, including the Epic electronic health record (EHR) and the MyChart patient portal. The incident forced hospital staff to revert to manual record-keeping procedures as they scrambled to provide patient care without access to their digital systems.
It took until May 20, 2024, for the hospital to restore full functionality to its EHR and other affected systems, marking a four-month period of recovery and data restoration efforts. Lurie Children's cited the complexity of its IT infrastructure and the advanced nature of the attack as the primary reasons for the prolonged restoration process.
The backstory
The forensic investigation revealed that the unauthorized third-party perpetrators had gained access to Lurie Children's systems as early as January 26, 2024, five days before the attack was detected and the systems were taken offline. During this window, the hackers were able to access and potentially exfiltrate sensitive patient data.
In its breach notification letter to the Maine Attorney General, Lurie Children's confirmed that the exposed information varied on an individual basis but could include names, contact details, dates of service, medical diagnoses and treatments, insurance details, and even Social Security numbers. The hospital estimated that the data breach impacted a staggering 791,784 individuals.
Going deeper
The ransomware group behind the attack, identified as Karakurt, claimed responsibility and demanded a $3.4 million ransom payment in exchange for the stolen data. However, Lurie Children's refused to comply, citing the lack of any guarantee that the data would be recovered or deleted.
Instead, the hospital worked closely with law enforcement to retrieve the compromised data, a process that likely contributed to the extended timeline for restoring full system functionality. Lurie Children's also offered 24 months of complimentary credit monitoring and identity theft protection services to the affected individuals, urging them to enroll by October 5, 2024.
Why it matters
The Lurie Children's Hospital breach is a sobering example of the consequences that can arise from a successful cyberattack on a healthcare institution. The exposure of sensitive personal and medical information for over 790,000 individuals represents a massive breach of trust and a great risk of identity theft, financial fraud, and other forms of exploitation.
Beyond the immediate impact on the affected patients, this incident also indicates the broader vulnerabilities facing the healthcare sector, which has become a prime target for cybercriminals. The disruption to Lurie Children's operations and the substantial resources required for recovery demonstrate the substantial operational and financial toll that such attacks can take on healthcare providers.
Farah Amod
