Cybercriminals carried out the attack from Jan. 26-31. At the time, Lurie disclosed it was responding to a cybersecurity threat and took certain electronic systems offline, including phones, emails, patient portal MyChart and electronic health system Epic. However, lawsuits allege that while Lurie disclosed the threat, it did not inform affected patients that their data had been leaked to hackers until the end of June.
“This critical passage of time is and was harmful to the victims of the data breach,” said one complaint filed by Amy Kmiecik, a guardian of an underage patient. “As is the case with data breaches generally, every moment is precious in order to recover data and take necessary safety measures to insulate from the many harms that data breaches cause.”
Leaked information in the Lurie breach includes names, addresses, driver’s license numbers, health plan and claims information, medical conditions and diagnoses, Social Security numbers and other sensitive information, according to a notice posted to the hospital’s website. Cybersecurity news outlet The Record previously reported ransomware group Rhysida sold data stolen from Lurie for $3.4 million.
Another lawsuit filed by Nicole Demonte on behalf of underage plaintiffs argues hackers now have the ability to open new financial accounts in patients' names, take out loans using their identities, file fraudulent tax returns and other crimes.
Not a Modern Healthcare subscriber? Sign up today.
The lawsuits are seeking damages, restitution, injunctive relief and declaratory judgement. The suits also ask that Lurie Children’s offer three years of identity theft protection and credit monitoring to affected patients, up from the two years the hospital has already offered.
A Lurie spokesperson did not immediately respond to a request for comment about the lawsuits.
Following the cybertattack in January, some of Lurie’s systems were down for months. It wasn’t until May that the hospital said it was no longer addressing an active security threat. By June, Lurie said all systems had been restored.
Lurie officials have said the hospital did not pay a ransom to end the attack.
Cyberattacks on hospitals and other healthcare providers are becoming more common as cybercriminals try to capitalize on the data-rich information housed by the healthcare sector. Aside from causing business-related headaches and costs, the attacks can also disrupt care and put lives in danger.
Lawsuits against healthcare organizations following cyber breaches are common. Chicago-based Catholic hospital chain CommonSpirit Health was similarly sued over a monthlong data breach in 2022 that impacted more than 600,000 patients. However, the case was ultimately dismissed in October 2023, according to court records.
This story first appeared in Crain's Chicago Business.