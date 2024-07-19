Parents sue Lurie Children's over cybersecurity attack, claim hospital failed to keep patients safe

More than 791,000 people were affected in the Lurie Children's Hospital security breach earlier this year.

CHICAGO -- Lurie Children's Hospital failed to keep its patients safe after a recent cyberattack that shut down the medical center's systems for months, parents allege in new federal lawsuits.

At least two complaints seeking class-action status were recently filed with the U.S. District Court in Chicago. The lawsuits also allege the hospital waited too long to tell patients that their data had been compromised.

The parents claim their children experienced "actual harm" because of the attack and Lurie violated their responsibility to safeguard their information.

"Lurie Children's allowed a dangerous cybercrime group to steal and sell personal information and medical records belonging to 800,000 victims - the majority of whom were likely children," said Katherine Aizpuru, an attorney with the D.C.-based law firm Tycko & Zavareei representing one of the parents.

"We intend to hold Lurie Children's accountable for its egregious breach of patient trust and secure full redress for our clients and the rest of the victims," she added.

The hospital declined to comment on the lawsuit. "As is Lurie Children's policy, we are unable to comment on pending litigation matters. Our focus is on continuing to care for our patients as well as addressing the cybersecurity attack," a hospital spokesperson said in an email.

Cybercriminals attacked Lurie's systems from Jan. 26-31 and gained access to about 800,000 patients' personal and medical information, Lurie reported this month in a data breach notice. The compromised data included names, addresses, dates of birth, contact information, Social Security numbers, health insurance details, medical conditions, diagnoses and treatments.

The criminal ransomware group Rhysida claimed it stole the data and sold it for 60 bitcoins, or about $3.4 million, according to the complaints.

The attack shut down the hospital's systems for months. Emails and phone lines were restored by mid-February. The patient portal MyChart and the hospital's electronic medical records platform Epic went back online in March. But the hospital said it wasn't until May that it was no longer dealing with an active cybersecurity threat.

While Lurie acknowledged the attack in January, it waited over five months to properly notify patients and their families that their information was compromised, the complaints allege.

One lawsuit claims the hospital allowed the attack to happen because it "failed to implement and maintain reasonable safeguards and failed to comply with industry-standard data security practices, as well as state and federal laws governing data security."

Because of the attack, the patients now face "a risk of boundless financial crimes," one complaint alleges.

The parent represented by Tycko & Zavareei filed a complaint on July 3 on behalf of her four children, all of whom received notice that their information was accessed in the breach. Another parent, represented by the New York firm Sterlington PLLC, filed a suit for her son on June 28, whose data was also compromised.

(Source: Sun-Times Media Wire - Copyright Chicago Sun-Times 2024.)