The Chicago-based hospital is being sued for negligence that may have led to the breach.
What happened
Lurie Children’s Hospital, a Chicago Pediatric hospital with approximately 54 partnerships with other Illinois hospitals, faced a data breach in late January 2024. The breach impacted approximately 775,000 individuals and resulted in multiple systems going offline.
Lurie Children briefly disconnected email, phones, its electronic health record system, and its patient portal. All systems have since come online, but Lurie continues to investigate the incident.
Months later, multiple lawsuits have been filed against the hospital for exposing patient data. The suits allege the hospital failed to safeguard patient’s personal and health-related data reasonably. The suits also claim that Lurie did not notify impacted individuals promptly.
How it started
The incident began on January 26th, when cybercriminals accessed Lurie’s systems. The criminals maintained access until January 31st, when Lurie discovered the breach. In response, the hospital took multiple systems down. Despite this, Lurie was able to continue serving patients.
As part of the investigation, Lurie determined that accessed information includes names, addresses, dates of birth, dates of service, driver’s license numbers, email addresses, health claims information, health plan information, medical information, and prescription information. Social Security numbers and telephone numbers were also accessed.
Lurie said they did not a pay a ransom, as they were advised against doing so by cybersecurity experts.
Going deeper
Currently, at least four lawsuits have been filed against the hospital.
According to a source, suits were filed in the U.S. District Court and allege that the hospital knew or should have known the risks of a data breach. Court documents also noted that Lurie failed to notify impacted individuals until five months after the breach.
The Breach Notification Rule states that HIPAA-covered entities have 60 calendar days to notify victims of a breach. Despite this standard, it’s common for notifications to be delayed due to the investigations.
One lawsuit said, “The size of the Data Breach and information Defendant has disclosed about the breach to date, including the sensitive nature of the impacted data and the time it took for Defendant to identify the breach, collectively demonstrate Defendant failed to implement reasonable measures to prevent the Data breach and the exposure of highly sensitive patient information.”
Lurie has not yet responded to the lawsuit, but said in their online breach notice that the investigation was complex, which may have led to delays in individual notifications.
The big picture
It’s become common for healthcare organizations to face lawsuits following data breaches. Many result in compensation for victims and increased security measures to prevent future attacks. Yet as malicious actors utilize new attack mechanisms, attacks are becoming increasingly difficult to evade.
Furthermore, the healthcare industry is known to be heavily targeted by actors because of the sensitive data they hold and the often limited safeguards in place.
While attacks are common, they are not inevitable; the right security measures can ensure an organization's safety from threats.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
