Lurie Children’s Hospital of Chicago announced the restoration of its patient-facing systems online on May 20, 2024, after a cyberattack on January 31. The system of Illinois’ largest pediatric care provider was down for over three and a half months leading to inaccessibility of electronic health records, telephone and email systems. Although the children’s hospital is not dealing with an active cyberattack now, it may still take some time before patients can view their complete records on the MyChart portal.
Since the attack on January 31, 2024, hospital employees have been following downtime operation procedures and using paper and pen to record patient data, and that data is being encoded into MyChart. Although the information before the cyberattack is accessible for viewing, there might be discrepancies in information until the data gathered during the downtime is included. Patients who need an updated record immediately must contact the hospital’s Health Information Management Office by phone. Other important MyChart functions, such as provider messaging, are accessible on the web but statement balances may still be incomplete.
The organization mentioned it’s been working with law enforcement through the investigation process, but gave no exact timetable concerning the length of the entire investigation. Lurie Children’s Hospital has not confirmed the magnitude of any data breach. Notification letters will be sent to impacted people once the provider completes the investigation and data analysis.
Lurie Children’s Hospital mentioned an identified criminal threat group performed the cyberattack. The Rhysida threat group professed to be behind the attack and stated that it sold the stolen information for $3.4 because the hospital did not pay the ransom.
Lurie Children’s Hospital serves over 239,000 children patients every year through its downtown Chicago hospital, six primary care sites, and 17 outpatient service locations. The healthcare provider has hired security specialists to improve the defenses of its systems to avoid the exposure of sensitive data including PHI in the future.
