Ann & Robert H. Lurie Children’s Hospital based in Chicago is facing a class action lawsuit because of a ransomware attack and data breach in January 2024 that compromised the protected health information (PHI) of 775,860 patients.
The hospital discovered the cyberattack on January 31, 2024. The forensic investigation affirmed that hackers had access to the system since January 26, 2024. The hacker viewed and potentially stole data including names, phone numbers, addresses, email addresses, birth dates, dates of service, medical insurance data, health plan beneficiary numbers, health conditions/diagnoses, medical record numbers, treatment data, prescription details, driver’s license numbers, and Social Security numbers. The Rhysida ransomware group announced that it was behind the attack and claimed to have sold the stolen information.
Because of the attack, the electronic health record system was taken offline for a few months. The investigation and document analysis were finished this summer. Personal notifications were sent to the impacted persons on June 17, 2024. Free credit monitoring services were provided to the affected persons for two years.
Nicole Demonte, mother and guardian of A.D., I.D., N.D., and N.S.D. who had their data compromised in the cyberattack, filed a lawsuit in the U.S. District Court of the Northern District of Illinois. The lawsuit alleges that Lurie Children’s did not implement reasonable and proper cybersecurity measures and failed to adhere to industry requirements for cybersecurity. That is why attackers gained access to the Lurie Children’s system. As a result, the plaintiffs and class members are in danger of fraud and identity theft.
The lawsuit likewise complains about the delay in sending breach notification letters and the lack of details in those letters once they were finally released. The lack of details has reduced the option of the plaintiffs and class members to abate the negative effects caused by the data breach. The lawsuit allegations include breach of contract, negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of the Illinois Uniform Deceptive Trade Practices Act, Illinois Personal Information Protection Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuit wants a jury trial, class action certification, attorneys’ professional fees and legal charges, damages, and injunctive relief.
