Illinois children’s hospital continues to deal with cyberattack

Lurie Children’s Hospital is grappling with a cyberattack that struck the organization days ago and continues to hamper its systems.

The hospital says it is “actively responding to a cybersecurity matter.” Lurie Chidren’s first disclosed a “network outage” last week and said Feb. 1 it was a cybersecurity incident. The hospital says it is working with law enforcement officials.

“We are taking this very seriously and have launched an investigation with the support of leading experts and are working in collaboration with law enforcement agencies,” Lurie Children’s said in a message posted to its website Sunday.

The phone, emails and computer systems at Lurie Children’s are all largely offline, the hospital says. The email system is largely offline, and isn’t sending or receiving emails from addresses outside the hospital. The hospital has taken its electronic health record system offline.

The hospital has established a call center, the only place Lurie’s can receive external calls. Families and caregivers can call 1-800-543-7362.

Lurie Children’s continues to accept and care for patients. The hospital says it continues to provide emergency care and inpatient care, and surgical procedures are still being performed. The hospital says it has been following contingency plans and is operating under downtime procedures.

Families are being told to continue to bring their children for scheduled appointments, unless their clinician contacts them and says they need to postpone.

“We are very grateful to our workforce and care providers who are committed to preserving our charitable mission during this time,” the hospital says in a message on its website. “We recognize the concern and inconvenience the system's outage may cause our patient-families and community providers and are working diligently to resolve this matter as quickly and effectively as possible.”

WLS-TV in Chicago, an ABC affiliate, spoke with a parent who had a procedure postponed.

Scores of hospitals and healthcare organizations have been hit with cyberattacks in recent years. Cyberattacks targeting private health information affected more than 100 million Americans in 2023, or roughly 1 out of every 3 Americans.

• Read more: These are the 11 biggest health data breaches of 2023

Another Chicago hospital, Saint Anthony Hospital, said last week that it has suffered a recent cybersecurity incident. The hospital said that someone had breached its network and copied files containing patient information on Dec. 18. Saint Anthony said the hospital is still assessing the scope of the breach, which data was taken and how many people are affected.

Cyberattacks can be costly to hospitals and healthcare organizations, and the average cost of a health data breach has reached nearly $11 million, according to IBM Security.

Increasingly, health systems are focused on the impact on patient care. Due to an attack at Ardent Health Services, hospitals had to delay procedures and divert ambulances.

ECRI, the patient safety organization, named cybersecurity as one of the 10 leading healthcare technology hazards in 2024. Marcus Schabacker, MD, president and CEO of ECRI, says healthcare leaders should focus more on the potential of cyberattacks to disrupt patient care, since hospitals are so connected and reliant on electronic health records.

Speaking generally about cyberattacks in healthcare in an interview last week, Schabacker said, “There is a true patient risk as well, because if you’re shutting down your internet, your WiFi, for example, you’re losing all your data on your patients if you are heavily connected, which most larger healthcare institutions are today.”

“Your pumps, your ventilators, your laboratory, your imaging, all those are on the internet and transfer data to the electronic medical record system wirelessly,” he continues. If those systems aren’t available, he adds, “You can easily imagine the implications for patient safety.”