Lurie Children's Hospital begins restoring patient MyChart access after January cybersecurity breach

About a month and a half after its systems were breached, Lurie Children's Hospital of Chicago said it is starting to reactivate its Epic MyChart patient portal.

The process "will take place over the coming days," Illinois' largest pediatric care provider said Thursday afternoon.

The restoration will include individual MyChart functions including "online scheduling, e-check in, provider messaging, medication refill requests and—in the coming days—bill pay," the organization said. It warned families that there may still be intermittent service disruptions online and in-app, and that patient information including billing "may not immediately" be up to date since the platform was not updated during its downtime. 

"We are actively working to update the information available in MyChart with the information collected during the system downtime," Lurie Children's wrote in an online notice. "We do not have an estimate when this work will be complete, and we will provide updates as this process progresses."

Telemedicine appointments through MyChart are once again available as well, the system said.

Lurie Children's said that it took down its email, phone and MyChart systems offline on Jan. 31 as a security measure after a criminal actor gained access to its network. It has gradually been bringing those capabilities back online in the weeks since—email and most phone lines came back in mid-February, though clinicians didn't regain access to electronic health records until earlier this month. 

In the weeks following the outage's onset, the provider said it was working with law enforcement including the FBI on investigating the breach. 

Last week a ransomware group, called Rhysida, reportedly claimed it was responsible for the breach and had sold "all" of the data it stole from Lurie Children's on the dark web for about $3.4 million. The hospital told press in statements that it was aware of the claims and is still investigating. 

Some Lurie Children's Hospital systems back online following 2-week outage

Feb. 15

Lurie Children's Hospital of Chicago said Wednesday that it has restored email systems and a majority of its phone lines after both were taken offline two weeks ago when the provider identified unauthorized access to its network.

Still, Lurie Children's Epic MyChart system "remains offline for the time being" and patients, families and community providers are being encouraged to phone the call center it launched to help coordinate calls, the hospital said.

"Our network system's restoration is ongoing and progressing," Lurie Children's wrote in a Wednesday afternoon update.

The system, which is Illinois' largest provider of pediatric services, reiterated that it continues to deliver services but that a full recovery "can take time to resolve." Last week it confirmed that the outage was triggered in line with its emergency preparedness plan after "a known criminal threat actor" accessed the network.

Feb. 8

Lurie Children's network accessed by 'criminal threat actor'

Lurie Children’s Hospital of Chicago confirmed Thursday that the past week's systems outage is the result of criminal access to its network.

The system, which is the largest pediatric provider in Illinois, initiated an emergency preparedness plan last Wednesday that involved taking its phone, email and Epic MyChart systems offline. 

"We can now confirm that our network was accessed by a known criminal threat actor," Marcelo Malakooti, chief medical officer at Lurie Children's said during a Thursday afternoon press update. "We take this matter very seriously and have been working closely around the clock with outside and internal experts, and in collaboration with law enforcement including the FBI. This is an active and ongoing investigation."

All Lurie Children's locations have remain open "with as few disruptions as possible," according to Malakooti's statement which has since been posted on Lurie Children's website. During the past week the organization established a call center where families and community providers can seek prescription refills and discuss appointments. 

FBI Chicago also confirmed to Chicago's CBS affiliate yesterday that it is "aware of the recent cybersecurity incident affecting Lurie Children's Hospital and is utilizing all available investigative tools and resources to provide assistance." The law enforcement agency said it had no additional information for release at the time.

Malakooti warned that "these incidents can take time to resolve" due to the high complexity of the academic medical centers' systems.

"We recognize the frustration and concern this situation creates for all of those impacted. We're so grateful for our Lurie Children's community for the outpouring of support, and we are especially inspired by our workforce and their resiliency and their commitment to our mission. We will continue to provide updates as they are available.

Lurie Children's Hospital provides care to more than 239,000 children per year across its downtown Chicago hospital, 17 outpatient services locations and six primary care sites. The organization has not described the incident as a ransomware attack or other specific form of cyberattack. 

Feb. 2

Lurie Children’s Hospital of Chicago has been working through a “cybersecurity matter” since Wednesday that has led the organization to take its phone, email and Epic MyChart systems offline, according to the provider and media reports.

In a Thursday night statement, the children’s hospital said it is “actively responding” to the issue and has tapped “leading experts” and law enforcement agencies for support. However, the organization’s main hospital, outpatient facilities and primary care offices are all affected, per reports and social media posts from patients’ family members, with disruptions including communication barriers, prescription issues and canceled surgeries.

“As Illinois’ leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve,” the hospital said in its statement. “Lurie Children's is open and providing care to patients with as few disruptions as possible.”

Lurie Children’s said it took its network systems offline “as part of our response” and is “currently working to establish a call center to address our patient-families’ and community providers’ needs.”

Lurie Children’s has not described the disruption as ransomware or any other type of cyberattack. The organization provides care to more than 239,000 children per year across its downtown Chicago hospital, 17 outpatient services locations and six primary care sites.

Federal records suggest cyberattacks and data breaches have increased among healthcare organizations in recent years. The issue has become a key focus for the Biden administration, which recently released voluntary cybersecurity performance goals for hospitals and is promising future rulemaking to incentivize resiliency across the sector.

Children’s hospitals aren’t immune to cyberattacks on health facilities, though last year included an unusual case in which a ransomware gang issued an apology and released Toronto’s Hospital for Sick Children from an extortion attack after it learned that an affiliate group was behind the incident.