Update March 6, 2024: Lurie Children’s announced it restored its Epic EHR platform and other key systems following the cyberattack on January 31. However, the patient portal MyChart remains unavailable.
Update March 1, 2024: A ransomware group is offering to sell “exclusive data” stolen from a Chicago pediatric hospital on the dark web for $3.4 million. Lurie Children’s says it is aware of the offer but declined further comment, noting its ongoing investigation.
The Ann & Robert Lurie Children’s Hospital in Chicago has been struggling to operate for six days while responding to a cybersecurity incident. As of Monday, February 5, the hospital’s network – including phones, email, electronic health records, and the patient portal – was still offline nearly a week after the cyberattack.
Lurie Children’s is a nationally ranked pediatric acute care children’s hospital of 360 beds, affiliated with the Northwestern University Feinberg School of Medicine. The hospital says it continues to offer healthcare services “with as few disruptions as possible” as it responds to the cyber incident.
However, medical care has been delayed, and patient communications have been severely restricted. The hospital set up a dedicated call center for non-urgent patient questions, information about scheduled appointments, and prescription refill requests.
The hospital first acknowledged a “network outage that impacts internet and phone service” on January 31 on Facebook. Since then, the hospital has posted updates every day. There is still no end in sight nor much information about what happened. The hospital is investigating with the help of law enforcement.
On February 5, the hospital’s website notice stated,
“We recognize the frustration of not having clarity on when this will be resolved. Our investigation remains ongoing and we are working around the clock to resolve this matter.”
Pediatric PHI May Have Been Breached
Lurie Children’s has not mentioned potential breaches of patient information, but we expect this news to come soon. A cyberattack of this size usually includes compromising protected health information (PHI).
This cyber attack is troubling because pediatric PHI is of exceptionally high value to criminals. A child’s medical identity has little or no financial or medical history attached to it. Therefore, the child’s data can create an entirely new identity, supplanting the child who hasn’t used it yet. When the child reaches adulthood and applies for a credit card or mortgage, they’re blocked because their identity was stolen years earlier.
Although cyberattacks on children’s hospitals are not as common as ones on other healthcare providers, they do happen.
The U.S. Department of Health and Human Services (HHS) has noted that the healthcare sector is vulnerable to cybercrime. All healthcare providers and business associates should review their cyber defenses and update their security risk assessments. Conduct a risk analysis and follow the HIPAA Security Rule. As part of the risk analysis and risk management plan, create a contingency plan to bring systems back online as much as possible and stay operational.
As the investigation at Lurie Children’s continues, we will update you with news as we learn more.