In late January, Lurie Children’s Hospital took its phones, email, electronic health records system, and patient portal offline to deal with a ransomware attack. As a result, some patient care was disrupted or delayed. The hospital would not meet the threat actor’s demands for more than $3 million, and it wasn’t until a month later that the hospital announced that the Epic health records system was back online although the MyChart system was still offline.
The Rhysida ransomware-as-a-service (RaaS) group claimed responsibility for the attack and later claimed they sold some of the data.
This week, Lurie submitted notifications to regulators indicating that 791,784 people were affected by the attack. However, the U.S. Department of Health and Human Services has not posted any notification indicating how many patients were affected.
Lurie’s most recent update and notification can be found on its website, where there is also an FAQ for patients and parents. Lurie’s substitute notice describes the types of information involved:
Through our investigation, Lurie Children’s has determined that information relating to certain individuals, such as name, address, date of birth, dates of service, driver’s license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted. The information relating to a particular individual varies individual to individual. We have no indication that the cybercriminals accessed data stored in our electronic health record system (Epic), although certain information stored in other Lurie Children’s systems was impacted.
Because Lurie is a children’s hospital, many of the records also contain information on their parents, the parents’ health insurance, and any guarantor of payment.