Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Wednesday, April 23, 2025

View Back issues

Children's hospital faces class action over patient data breach

The plaintiffs in the federal lawsuit say the leak affected over 792,000 patients, mostly children.

CHICAGO (CN) — A federal class action filed in Chicago on Thursday takes the Ann & Robert H. Lurie Children’s Hospital to task over a major cybersecurity breach. The minor plaintiffs in the suit say they fear the leak exposed their personal data — including names, social security numbers and medical histories — to unknown individuals without their consent.

“Plaintiffs have suffered imminent and impending injury arising from the present and ongoing risk of fraud, identity theft, and misuse resulting from their private Information being placed in the hands of cybercriminals,” the children and their parents and guardians say in the complaint.

Lurie does not deny the data breach occurred. The hospital places the incident between Jan. 26 and 31, and in the spring publicly acknowledged its data systems were hacked. Lurie CEO Thomas Shanley further stated in an open online letter that the hospital is working to mitigate the impact on patients.

“Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data,” Shanley said. “Our investigation to date has not identified the impacted data on the dark web or in the public sphere.”

As a form of recompense, Lurie has offered affected patients two years of free access to Experian IdentityWorks, a cybersecurity and identity theft protection suite.

For the plaintiffs, the offer is not nearly enough.

“Defendant’s offer to plaintiffs and the putative class of 24 months of ‘complimentary access to Experian IdentityWorks’ is wholly inadequate compared to what may affected victims may face for the rest of their lives due to the data breach,” they say in the complaint.

The plaintiffs estimate the breach affected over 792,000 current and former Lurie patients, most of them still children. Lurie did not respond to for call to comment on this figure, and does not list its own estimate on its website.

Besides the number of affected patients, the plaintiffs take issue with the amount of time it took for Lurie to alert patients to the breach. While the breach occurred in January, the plaintiffs claim they were not made aware their data had potentially been stolen until late June. Lurie’s website does not say when it began alerting patients to the breach, and its page on the issue has no immediately visible publish date.

However, web data lists June 27 as the publish date for both that page and Shanley’s open letter. The date is consistent with when the plaintiffs say they were made aware that their data was potentially compromised.

“Lurie Children inexplicably waited nearly five months until June 27, 2024, to inform its patients that their [personal and health information] could be compromised as a result of the data breach,” the plaintiffs say in the complaint. “In cases dealing with data breaches, every moment is precious in order to recover data and take the necessary precautions to insulate from the countless harms caused by data breaches.”

Lurie places the blame for the attack on the ransomware group Rhysida, who take their name from a genus of centipede. The same group was responsible for cyberattacks on the British Library and Chilean army last year. According to a screenshot obtained by Cyber Security News, the group attempted to sell the Lurie data for 60 Bitcoin — roughly equivalent to $3.4 million.

The plaintiffs value the controversy at or over $5 million, and demand a jury trial to determine “compensatory, punitive, statutory, and treble damages.”

They are represented by Gary Klinger of the Chicago firm Milberg Coleman as well as attorneys from three other firms.

Categories / Courts, Health, Technology

Subscribe to our free newsletters

Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.

Loading...