The personal data of nearly 800,000 people was leaked during a months-long cyberattack at Lurie Children’s Hospital this year that forced the institution to shut down its entire network.
The hospital said 791,784 people were affected by the hack, which investigators determined began in late January, according to a data breach notice filed last week with the Office of the Maine Attorney General.
Personal data that was leaked included Social Security numbers, medical conditions or diagnoses, addresses, driver’s license numbers and prescription information, the hospital said in a notice on its website.
Cybercriminals accessed Lurie’s system’s between Jan. 26 and Jan. 31, the hospital said. Phone, email and electronic systems were taken offline on Jan. 31 in response to the attack, though the hospital remained open throughout the outage.
MyChart, the hospital’s patient portal, was also shut down, leaving some parents frustrated with the response times of the call center that was established after the network was shut down.
The hospital slowly reestablished its network over the next several weeks. Emails and phone lines went back online by mid-February. And its electronic medical records platform was restored in early March. But it wasn’t until May 20 that the hospital said it was no longer combating the cybersecurity threat.
The hospital said it did not pay a ransom and instead worked with law enforcement to retrieve data once investigators determined how much had been affected by the attack.
The Rhysida ransomware group was allegedly behind the attack, according to cybersecurity news outlet The Record, which also said the group made more than $3 million from selling the data it stole.
The hospital said it is notifying individuals whose data was stolen, including through mailing notification letters. “Our notification material will identify resources to help protect their identity.”
Cybercriminals have targeted at least two other hospital systems in the Chicago area this year.
In May, a ransomware attack forced hospital group Ascension’s computer systems offline and diverted ambulances away from some of its emergency departments, including one in the Chicago area.
The same month, University of Chicago Medical Center said it was a victim of a hack that may have exposed patient data.
“Hospitals and health systems across the country face constantly evolving cybersecurity threats,” Lurie Children’s said. “For our part, we are working closely with our internal and external experts to further enhance the security of our systems.
The hospital has established a call center for anyone who may have questions about the attack and the hospital’s response. The call center can be reached at (888) 401-0575 between 8 a.m. and 8 p.m. Monday through Friday.
