Lurie Children’s Hospital Ransomware Attack and UNITE HERE Data Breach

EHR System of Lurie Children’s Hospital Now Restored One Month After Ransomware Attack

Ann & Robert H. Lurie Children’s Hospital located in Chicago encountered a ransomware attack that resulted in the deactivation of its phone, email, and health record systems. Lurie Children’s Hospital, which serves more than 220,000 patients annually, discovered a breach of its systems on January 31, 2024, and has reported that an identified threat actor obtained access to its systems, however, did not say whether it was a ransomware attack. The extent of the data breach is not yet confirmed.

Rhysida ransomware group is a known threat actor. It is a fairly new ransomware-as-a-service operation since May 2023. The group mainly targets institutions in the government, education, and manufacturing; nevertheless, numerous attacks were performed on healthcare companies such as Singing River Health System and Prospect Medical Holdings. The group is not considered as a major player in the ransomware market though it is a well-recognized group that carried out a minimum of 74 attacks in 2023 – about 2% of all ransomware attacks internationally, and last year was behind 4% of attacks on the healthcare field.

Rhysida uses double extortion strategies, where sensitive information is copied from the victim’s network before the encryption of files and requires payments in exchange for the keys to decrypt the information and stop the publishing or sale of the stolen files. In late February, the group mentioned on its data leak site the theft of 600 GB of data from Lurie Children’s Hospital, which would be available for sale. The exclusive price for the stolen files is 60 bitcoin or approximately $3.4 million. It would seem that Lurie Children’s Hospital did not pay the ransom because Rhysida reported the data was already sold. Lurie Children’s Hospital has stated that it is aware of the group’s notice but did not share any information regarding the nature of the attack and mentioned it is still investigating and is working carefully with law enforcement and security specialists.

As an academic medical center, Lurie Children’s Hospital’s systems are quite complex and, consequently, the restoration process takes a long time. It is working closely with internal and external professionals to completely restore its systems, which consists of confirming and checking each system prior to bringing them back online. Lurie Children’s Hospital stated it has teams working day and night to restore its systems. Its electronic medical record system was back together with other key systems; although, the MyChart patient portal is still not available. Patients utilize the MyChart portal to look at their health records, book appointments, speak to doctors, request prescription refills, obtain cost estimations for services, and pay fees.

Lurie Children’s Hospital recognizes that this system outage has caused inconvenience to patient families and community companies. The hospital is working diligently to solve this issue as quickly and efficiently as possible and to ensure compliance with HIPAA.

791,000 Individuals Impacted by UNITE HERE Data Breach

The labor union, UNITE HERE, based in New York serves 300,000 employees throughout Canada and the United States. It recently submitted a breach report to the HHS’ Office for Civil Rights that it encountered a data breach involving the protected health information (PHI) of 791,273 persons. UNITE HERE mentioned unauthorized access to its systems was noticed on October 20, 2023, and third-party cybersecurity specialists investigated the incident to determine the nature and scope of the data breach. The scope of the sensitive data access or theft cannot be determined, so it was decided to inform all people whose information was involved in the exposed system when the breach occurred.

The breached files included the sensitive information of members of some local unions and health funds and contained names, state identification numbers, driver’s licenses, Social Security numbers, passport numbers, alien registration numbers, tribal ID numbers, birth certificates, dates of birth, marriage licenses, signatures, financial account data, and medical details.

UNITE HERE stated passwords were quickly reset upon discovery of the security breach, and extra security measures were already implemented. Individuals who received a notification by mail concerning the breach were told to be cautious against identity theft and fraud and were provided complimentary credit monitoring and identity theft protection services using IDX.


Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X