Patients Sue DuPage Medical Group over July 2021 Ransomware Attack

Two DuPage Medical Group patients are taking legal action against the healthcare provider following a July 2021 ransomware attack in which patients’ protected health information was exposed.

DuPage Medical Group suffered the ransomware attack in mid-July. The forensic investigation determined unauthorized individuals had gained access to its computer network between July 12 and July 13, and deployed ransomware in an attempt to extort money. The attack caused a major computer and phone outage that lasted around a week.

On August 17, the forensic investigators confirmed hackers had gained access to parts of the computer network that contained the protected health information of 655,384 patients, and potentially viewed or obtained patient names, addresses, dates of birth, diagnosis codes, medical procedure codes, and treatment dates. Some Social Security numbers may also have been compromised.

Notification letters started to be sent to affected patients in late August. At the time of issuing notifications, DuPage Medical Group said it was unaware of any actual or attempted misuse of patient data, although the possibility could not be ruled out. Free credit monitoring and identity theft protection services have been offered to affected patients.

The lawsuit was filed in DuPage County Circuit Court on behalf of Rochelle Hestrup and Erin Peiss on September 1, 2021, just a few days after the healthcare provider mailed notification letters to patients. The lawsuit alleges DuPage Medical Group was negligent for not implementing appropriate defenses to protect against ransomware attacks and that it failed to monitor its computer network and systems containing patient information. The lawsuit also alleges DuPage Medical Group did not notify patients quickly enough, even though notification letters were mailed well inside the 60-day deadline of the HIPAA Breach Notification Rule.

The lawsuit alleges, “As a direct result of the data breach, plaintiffs and class members have been exposed to a heightened and imminent risk of fraud and identity theft.” The lawsuit seeks class action status and the plaintiffs are seeking damages, reimbursement of out-of-pocket expenses, and require DuPage Medical Group to make improvements to its security systems to better protect sensitive patient data.

“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” said DuPage Medical Group in a statement to the Chicago Tribune.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.