A federal judge has allowed several claims to move forward in a lawsuit accusing Lurie Children’s Hospital of Chicago of failing to protect patient data in a 2024 cyberattack that compromised the personal and medical information of about 791,784 people.
The lawsuit stems from a January 2024 ransomware attack carried out by the criminal group Rhysida, which claimed to have sold stolen patient data for about $3.4 million on the dark web. Lurie publicly acknowledged the incident in February but did not formally notify affected families until June 27.
Here are four things to know about the lawsuit:
- U.S. District Judge Andrea Wood on Sept. 27 granted in part and denied in part the hospital’s motion to dismiss the consolidated case, which combines multiple suits brought by patients and parents of minors treated at the hospital. The 34-page memorandum opinion, obtained by Becker’s, was filed in the U.S. District Court for the Northern District of Illinois.
- The judge allowed negligence and breach of implied contract claims to proceed, finding that Illinois law requires entities to maintain reasonable data security measures. She also permitted a subset of plaintiffs — those who experienced identity theft — to pursue claims under the Illinois Personal Information Protection Act.
- Judge Wood dismissed other claims, including negligence per se, breach of fiduciary duty, breach of express contract, unjust enrichment, invasion of privacy, Illinois Consumer Fraud and Deceptive Practices Act, and Illinois Uniform Deceptive Trade Practices Act. She ruled that Lurie’s privacy policies did not create an enforceable express contract with patients.
- At least four plaintiffs reported actual identity theft following the breach, including unauthorized bank accounts and lines of credit opened in their names. Others said they have spent time and money on credit monitoring and fraud prevention.
While several claims were dismissed, Judge Wood’s decision keeps key parts of the litigation alive.
