655,000 DuPage Medical Group Patients Notified About PHI Breach

DuPage Medical Group, the largest independent physician group in the state of Illinois, has started notifying 655,384 patients about a security breach in which their personal and protected health information may have been compromised.

DuPage Medical Group identified suspicious activity in its computer network on July 13, 2021 and engaged cyber forensic specialists to conduct an investigation to determine the full nature and scope of the breach. They determined unauthorized actors had gained access to its IT systems on July 12 and access remained possible until the breach was detected on July 13 and its network was secured.

A comprehensive review was conducted of all files on the systems that were accessible to the hackers and, on August 17, 2021, DuPage Medical Group confirmed that files containing patient information had potentially been impacted.

The types of information potentially compromised in the security breach varied from patient to patient and may have included the following data elements: Names, address­es, dates of birth, diag­no­sis codes, Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy (CPT) codes, and treat­ment dates. The Social Security numbers of a small subset of patients were affected, but no financial information was exposed.

DuPage Medical Group said the forensic investigation uncovered no evidence to suggest any information stored on the affected systems has been sub­ject to actu­al or attempt­ed mis­use as a result of the security inci­dent; however, as a precaution against identity theft and fraud, complimentary credit monitoring and identity theft protection services are being offered to all individuals affected by the breach.

The exact nature of the cyberattack was not disclosed so it is unclear if the attackers attempted to deploy ransomware. DuPage Med­ical Group said the security breach “caused a disruption to network systems” and resulted in a “network outage.”

DuPage Medical Group said it has reviewed its existing security measures and has already implemented additional cybersecurity protections to reduce the risk of further cyberattacks, and will “improve every aspect of our tech­nol­o­gy roadmap to bet­ter serve patients.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.