Dive Brief:
- Multiple lawsuits seeking class action status were filed against Lurie Children’s Hospital last week after a cyberattack potentially exposed information from hundreds of thousands of people.
- The suits allege the Chicago-based hospital failed to properly safeguard defendants’ personal and health information, and took months to notify people whose data could have been compromised.
- Lurie was hit by a cyberattack in late January, forcing the provider to take critical systems offline for weeks. The breach may have exposed information from more than 775,000 people, according to a June report to federal regulators.
Dive Insight:
Cyberattacks against hospitals can be a serious threat to patient care, cutting off access to critical equipment and technology and forcing providers to divert emergency cases or delay care.
Attacks against the industry are rising too. The sector has already seen several high profile incidents in 2024, including attacks on major medical claims processor Change Healthcare and large nonprofit health system Ascension.
Lurie faced its own attack in late January. The children’s hospital took key systems offline, including its phone, email and electronic health record systems. It took months for the provider to fully recover.
This summer, Lurie said information like names, addresses, birth dates, Social Security numbers, dates of service, email addresses, telephone numbers, driver’s license numbers, health plan details and medical information.
The suits, filed last week in U.S. District Court, allege the children’s hospital knew or should have known the risks of a data breach. The litigation also noted it took about five months for Lurie to begin contacting people whose information may have been compromised in the attack.
“The size of the Data Breach and information Defendant has disclosed about the breach to date, including the sensitive nature of the impacted data and the time it took for Defendant to identify the breach, collectively demonstrate Defendant failed to implement reasonable measures to prevent the Data Breach and the exposure of highly sensitive patient information,” one lawsuit said.
Lurie did not immediately return a request for comment. In a data breach notification, the hospital said it took time to understand what happened and identify the scope of the impact “due to the complexity of the attack as well as our infrastructure.”
Lawsuits related to healthcare data breaches aren’t uncommon. Ascension faced proposed class action lawsuits days after reporting a ransomware attack, while Change has been hit with dozens of suits.