Parents sue Lurie over cybersecurity attack, claim hospital failed to keep patients safe

Lurie Children's Hospital failed to keep its patients safe after a recent cyberattack that shut down the medical center's systems for months, parents allege in new federal lawsuits.

At least two complaints seeking class-action status were recently filed with the U.S. District Court in Chicago. The lawsuits also allege the hospital waited too long to tell patients that their data had been compromised.

The parents claim their children experienced "actual harm" because of the attack and Lurie violated their responsibility to safeguard their information.

"As is Lurie Children’s policy, we are unable to comment on pending litigation matters. Our focus is on continuing to care for our patients as well as addressing the cybersecurity attack," a hospital spokesperson said in an email.

Cybercriminals attacked Lurie's systems from Jan. 26-31 and gained access to about 800,000 patients' personal and medical information, Lurie reported earlier this month in a data breach notice. The compromised data included names, addresses, dates of birth, contact information, Social Security numbers, health insurance details, medical conditions, diagnoses and treatments.

The criminal ransomware group Rhysida claimed it stole the data and sold it for 60 bitcoins, or about $3.4 million, according to the complaints.

The attack shut down the hospital's systems for months. Emails and phone lines were restored by mid-February. The patient portal MyChart and the hospital's electronic medical records platform Epic went back online in March. But the hospital said it wasn't until May that it was no longer dealing with an active cybersecurity threat.

While Lurie acknowledged the attack in January, it waited over five months to properly notify patients and their families that their information was compromised, the complaints allege.

One lawsuit claims the hospital allowed the attack to happen because it "failed to implement and maintain reasonable safeguards and failed to comply with industry-standard data security practices, as well as state and federal laws governing data security."

Because of the attack, the patients now face "a risk of boundless financial crimes," one complaint alleges.

One parent filed a complaint on July 3 on behalf of her four children, all of whom received notice that their information was accessed in the breach. Another parent filed a suit for her son on June 28, whose data was compromised.