Lurie Children’s Hospital Named in Class Action Lawsuit Following Ransomware Attack

Date:

July 12, 2024

World map

Lurie Children’s Hospital in Chicago has been named in a Class Action Lawsuit following a January 2024 ransomware attack and data breach that exposed the PHI (protected health information) of 775k patients.

"The lawsuit claims Lurie Children’s failed to implement reasonable and appropriate cybersecurity measures and did not comply with industry standards for cybersecurity. Those failures are alleged to have allowed access to be gained to Lurie Children’s network and have left the plaintiffs and class members facing a lifetime risk of identity theft and fraud,” HIPAA Journal reports.

“The lawsuit also takes issue with the time taken to issue notification letters and the lack of information in those letters when they were eventually sent. The lack of information has diminished the ability of the plaintiffs and class members to mitigate the harms resulting from the data breach. The lawsuit alleges negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Illinois Personal Information Protection Act, Illinois Consumer Fraud and Deceptive Business Practices Act, and the Illinois Uniform Deceptive Trade Practices Act.”

Takeaway: Beyond the financial and operational impact from ransomware attacks, organizations should be concerned about the potential loss of sensitive data and intellectual property.

Ransomware operators are more often threatening to publish or sell stolen data if the ransom is not paid. This can lead to regulatory fines, legal liabilities, and severe damage to the company's brand and customer trust.

The number of class action lawsuits spurred by ransomware attacks that include data exfiltration has skyrocketed in the last two years, and liability risk is also specifically hitting the C-suite and Boards of Directors.

Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional liability risk.

We see this most clearly in the evolution of the extortion tactics employed by ransomware actors. Originally, the malicious payloads would encrypt files and demand payment for decryption keys.

Security teams found success in either restoring from backups or accepting loss of data as an acceptable consequence. Of course, even if systems are restored without having paid the ransomware operators for a decryption key, there is no guarantee that payment will protect the stolen data from being exploited.

The ransomware payload does not enter the picture until late in the attack, so the key to not finding yourself in this situation is of course to detect the attack earlier in the sequence, long before the ransomware payload is delivered.

Organizations need to understand that today’s ransomware attacks involve a great deal more than just the delivery of malicious code that disrupts operations.

Data exfiltration is central to nearly every major ransomware operation, and the tactic has been so successful that some groups have abandoned the encryption aspect of attacks altogether to focus solely on stealing data and extorting the victim.

Depending on your industry and location, there may be data protection laws and other regulations that require you to report data breaches promptly. Failure to do so can result in substantial fines and legal liabilities.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.