Lurie Children's Hospital of Chicago sent out data breach letters to about 792,000 people warning them of cybercriminals' potential access to their personal information.
The criminals accessed Lurie Children's systems between Jan. 26 and Jan. 31, at which point the pediatric care provider voluntarily took down many of its electronic systems. Patients, providers and employees navigated the outages for months, with Lurie Children's announcing that all of its patient-facing systems were brought back online in late May.
Per an online notice, the information that may have been compromised could include an individual's: name, address, date of birth, dates of service, driver’s license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number and telephone number.
The system said it sees no signs that the data stored in its electronic health record was compromised. The system said that it did not pay a ransom over the course of the attack, as "experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken."
"Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data," CEO and President Tom Shanley wrote in an open letter to the community. "Our investigation to-date has not identified the impacted data on the dark web or in the public sphere."
The organization said it is offering those whose information was impacted complimentary 24-month access to information protection services.
May 21
Lurie Children's Hospital resolves months-long cyberattack, reactivates patient-facing systems
Lurie Children's Hospital of Chicago announced Monday that it "is no longer addressing an active cybersecurity matter" and has reactivated patient-facing systems that were taken offline over three and a half months ago.
Illinois' largest pediatric care provider had been contending with the cyberattack from "a known criminal threat actor" since Jan. 31, leading to outages of electronic health records, phone and email systems that were gradually restored in the following months.
The organization said it's been in contact with law enforcement through the process, though it is still "unable to provide a definitive timeline" of when its investigation of the incident will be complete.
Though it has now validated and reactivated patient-facing systems, Lurie Children's warned that some information logged in MyChart may be incomplete as it's still working to update those records with what was collected during the downtime. Patients in immediate need of an updated record should reach out to the organization's Health Information Management Office by phone, it said.
Other "key" MyChart functions, like provider messaging, are back online though statement balances may also be incomplete, per the notice.
"Thank you to our patient-families and community for their ongoing support and patience as we have responded to this incident," Lurie Children's wrote in its update. "We look forward to continuing to care for our patient-families, accelerate cutting-edge research discoveries and work with community partners to advance health equity for youth and their families, just as we have always done."
Lurie Children's Hospital provides care to more than 239,000 children annually across its downtown Chicago hospital, 17 outpatient service locations and six primary care sites. The organization said it is "working closely with security experts" to enhance the security of its systems to prevent similar incidents in the future.
March 15
Lurie Children's Hospital begins restoring patient MyChart access after January cybersecurity breach
About a month and a half after its systems were breached, Lurie Children's Hospital of Chicago said it is starting to reactivate its Epic MyChart patient portal.
The process "will take place over the coming days," Illinois' largest pediatric care provider said Thursday afternoon.
The restoration will include individual MyChart functions including "online scheduling, e-check in, provider messaging, medication refill requests and—in the coming days—bill pay," the organization said. It warned families that there may still be intermittent service disruptions online and in-app, and that patient information including billing "may not immediately" be up to date since the platform was not updated during its downtime.
"We are actively working to update the information available in MyChart with the information collected during the system downtime," Lurie Children's wrote in an online notice. "We do not have an estimate when this work will be complete, and we will provide updates as this process progresses."
Telemedicine appointments through MyChart are once again available as well, the system said.
Lurie Children's said that it took down its email, phone and MyChart systems offline on Jan. 31 as a security measure after a criminal actor gained access to its network. It has gradually been bringing those capabilities back online in the weeks since—email and most phone lines came back in mid-February, though clinicians didn't regain access to electronic health records until earlier this month.
In the weeks following the outage's onset, the provider said it was working with law enforcement including the FBI on investigating the breach.
Last week a ransomware group, called Rhysida, reportedly claimed it was responsible for the breach and had sold "all" of the data it stole from Lurie Children's on the dark web for about $3.4 million. The hospital told press in statements that it was aware of the claims and is still investigating.
Feb. 15
Some Lurie Children's Hospital systems back online following 2-week outage
Lurie Children's Hospital of Chicago said Wednesday that it has restored email systems and a majority of its phone lines after both were taken offline two weeks ago when the provider identified unauthorized access to its network.
Still, Lurie Children's Epic MyChart system "remains offline for the time being" and patients, families and community providers are being encouraged to phone the call center it launched to help coordinate calls, the hospital said.
"Our network system's restoration is ongoing and progressing," Lurie Children's wrote in a Wednesday afternoon update.
The system, which is Illinois' largest provider of pediatric services, reiterated that it continues to deliver services but that a full recovery "can take time to resolve." Last week it confirmed that the outage was triggered in line with its emergency preparedness plan after "a known criminal threat actor" accessed the network.
Feb. 8
Lurie Children's network accessed by 'criminal threat actor'
Lurie Children’s Hospital of Chicago confirmed Thursday that the past week's systems outage is the result of criminal access to its network.
The system, which is the largest pediatric provider in Illinois, initiated an emergency preparedness plan last Wednesday that involved taking its phone, email and Epic MyChart systems offline.
"We can now confirm that our network was accessed by a known criminal threat actor," Marcelo Malakooti, chief medical officer at Lurie Children's said during a Thursday afternoon press update. "We take this matter very seriously and have been working closely around the clock with outside and internal experts, and in collaboration with law enforcement including the FBI. This is an active and ongoing investigation."
All Lurie Children's locations have remain open "with as few disruptions as possible," according to Malakooti's statement which has since been posted on Lurie Children's website. During the past week the organization established a call center where families and community providers can seek prescription refills and discuss appointments.
FBI Chicago also confirmed to Chicago's CBS affiliate yesterday that it is "aware of the recent cybersecurity incident affecting Lurie Children's Hospital and is utilizing all available investigative tools and resources to provide assistance." The law enforcement agency said it had no additional information for release at the time.
Malakooti warned that "these incidents can take time to resolve" due to the high complexity of the academic medical centers' systems.
"We recognize the frustration and concern this situation creates for all of those impacted. We're so grateful for our Lurie Children's community for the outpouring of support, and we are especially inspired by our workforce and their resiliency and their commitment to our mission. We will continue to provide updates as they are available.
Lurie Children's Hospital provides care to more than 239,000 children per year across its downtown Chicago hospital, 17 outpatient services locations and six primary care sites. The organization has not described the incident as a ransomware attack or other specific form of cyberattack.
Feb. 2
Lurie Children’s Hospital of Chicago has been working through a “cybersecurity matter” since Wednesday that has led the organization to take its phone, email and Epic MyChart systems offline, according to the provider and media reports.
In a Thursday night statement, the children’s hospital said it is “actively responding” to the issue and has tapped “leading experts” and law enforcement agencies for support. However, the organization’s main hospital, outpatient facilities and primary care offices are all affected, per reports and social media posts from patients’ family members, with disruptions including communication barriers, prescription issues and canceled surgeries.
“As Illinois’ leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve,” the hospital said in its statement. “Lurie Children's is open and providing care to patients with as few disruptions as possible.”
Lurie Children’s said it took its network systems offline “as part of our response” and is “currently working to establish a call center to address our patient-families’ and community providers’ needs.”
Lurie Children’s has not described the disruption as ransomware or any other type of cyberattack. The organization provides care to more than 239,000 children per year across its downtown Chicago hospital, 17 outpatient services locations and six primary care sites.
Federal records suggest cyberattacks and data breaches have increased among healthcare organizations in recent years. The issue has become a key focus for the Biden administration, which recently released voluntary cybersecurity performance goals for hospitals and is promising future rulemaking to incentivize resiliency across the sector.
Children’s hospitals aren’t immune to cyberattacks on health facilities, though last year included an unusual case in which a ransomware gang issued an apology and released Toronto’s Hospital for Sick Children from an extortion attack after it learned that an affiliate group was behind the incident.