Children’s Hospital Notifies 800,000 of Data Theft in Attack – Source: www.databreachtoday.com

Breach Notification
,
Fraud Management & Cybercrime
,
Healthcare

Chicago Pediatrics Center Refused to Pay Ransom to Rhysida Cybercrime Group

Marianne Kolbasuk McGee (HealthInfoSec) •
July 3, 2024    

A Chicago pediatrics hospital is notifying nearly 800,000 people that their sensitive information was compromised in a ransomware attack earlier this year. Ransomware-as-a-service group Rhysida had demanded a $3.4 million ransom for data stolen in the disruptive January attack. The hospital said it did not pay.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

In a breach notice posted on its website, Ann & Robert H. Lurie Children’s Hospital of Chicago said its investigation into the ransomware incident determined that information stored on certain IT systems was accessed and copied by the cybercriminals (see: Rhysida Offers to Sell Children’s Hospital Data for $3.4M).

Data contained in Lurie Children’s Epic electronic health record was not accessed in the attack, the hospital notice said. Potentially affected individuals includes patients, their family members, Lurie Children’s employees and others.

Information that was compromised varies among individuals, but includes name, address, birthdate, dates of service, driver’s license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number and telephone number.

Lurie Children’s Hospital, in a breach report filed last week to Maine’s attorney general, said the incident affected 791,784 individuals, including eight Maine residents. As of Wednesday, Lurie Children’s hacking incident had not yet been posted to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing major health data breaches affecting 500 or more individuals.

“Lurie Children’s did not pay a ransom. Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken,” the hospital said in its breach notice. “Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data.”

Lurie Children’s in a statement to Information Security Media Group said that the hospital’s investigation to date “has not identified the impacted data on the dark web or in the public sphere.”

The hospital is offering affected individuals 24 months of complimentary identity and credit monitoring.

“Lurie Children’s is not alone – many organizations today, especially hospitals and health systems across the country, face constantly evolving cybersecurity threats,” the hospital told ISMG.

“We are working closely with our internal and external experts to further enhance the security of our systems. Lurie Children’s takes the security of our system and the information entrusted to us seriously. As such, we continue to invest in our cybersecurity program and controls.”

Lurie Children’s phones and IT systems, including access to its EHRs and patient portal, were disrupted for several weeks as the hospital recovered from the attack (see: Systems, Phones Still Offline at Chicago Children’s Hospital).

Other Considerations

A proposed class action lawsuit alleging negligence and other claims has been filed against Lurie Children’s in an Illinois federal court.

That lawsuit complaint, filed by the guardian of a minor patient affected by the incident on behalf of others similarly situated, seeks at least three years of credit monitoring, financial damages and an injunctive order for Lurie Children’s to bolster its data security program.

Rhysida, which took credit for the attack and demanded a $3.4 million from Lurie Children’s, was the subject of an alert to the healthcare sector by HHS’ Health Sector Cybersecurity Coordination Center last August (see: Authorities Warn Health Sector of Attacks by Rhysida Group).

The cybercriminal group emerged in May 2023. As of Wednesday, dark web monitoring website DarkFeed counted 101 Rhysida victims.

“Nation-states and their affiliated crime organizations and activists are openly attacking the U.S. healthcare sector with the intent to disrupt and destabilize,” said Mike Hamilton, founder and CISO of security firm Critical Insight. “The attack against Lurie Children’s and theft of PII and PHI of minors was very likely solely for the purpose of criminal gain and not conducted by a state actor.”

When a breached entity such as Lurie Children’s refuses to pay a ransom, “it is possible a class action attorney may argue that the failure to pay the extortion demand guaranteed that the records would be made public or put up for sale,” Hamilton said.

“However, when unauthorized disclosure of protected information occurs, the insurance company for the victim organization is usually making the determination as to whether or not the ransom is paid.

“Further, it can be argued that criminals are dishonest, and even paying the ransom does not provide assurance that the records will not be made public or sold on the dark web. Using an argument of failure to pay as a basis for class action is not likely to be successful,” he said.

Healthcare entities that handle information pertaining to children and other particularly sensitive records should consider exercising extra vigilance in safeguarding that data, some experts said.

“While there are no additional legal precautions that are required to protect minors’ individually identifiable health information or protected health information, their information – much like psychotherapy notes or substance use disorder treatment – not only has a heightened sensitivity associated with it, but can be exploited in other ways,” said regulatory attorney Rachel Rose.

Minors, she said, “are at risk for online solicitation, bullying, and trafficking. Ensuring that an annual risk analysis is conducted to ensure that technical, administrative, and physical safeguards are in place is paramount.”

The controls applied to the protection of information confidentiality and integrity should be risk-based, Hamilton said. “Given that children’s health and privacy information is highly monetizable and that empirically we see that it is being routinely stolen, it should be given the greatest protection possible,” he said.

“Controls in excess might include a prohibition on user internet access, for example, to cut off the use of personal email as an initial access method.”

Minors whose information is compromised in hacking and other data security incidents are particularly vulnerable to identity theft and fraud, as well as other potential misuses, for potentially long periods of time.

“First, not all information is used right away. It may appear years later when the person is of age,” Rose said. “Second, if a cybercriminal tracks the individuals and their social media pages or hacks into their phones, there could be other data, including pictures, that cybercriminals could exploit.

“Lastly, it underscores the importance of credit monitoring throughout one’s lifetime and utilizing services that enable the individual to turn ‘on and off’ when a third party can access their credit profile and scores,” she said.