Protected Health Information Exposed in Large Cyberattack in IL

DuPage Medical Group began notifying 600K patients that their protected health information may have been compromised in a cyberattack that resulted in network and phone outages.

By Jill McKeon

September 01, 2021 - DuPage Medical Group (DMG), the largest independent physician group in Illinois, began notifying patients of a healthcare data breach that may have exposed protected health information (PHI).

Approximately 600,000 patients are being notified of the breach, according to the Chicago Tribune. If 600,000 individuals were affected, the breach may constitute the state’s largest reported healthcare cybersecurity incident of 2021 to date. The exact number of impacted individuals has not yet been posted on the Office for Civil Rights (OCR) data breach portal.

An unauthorized third party gained access to the group’s network between July 12 and July 13, 2021. On August 17, forensic analysis revealed that names, addresses, birthdates, CPT codes, treatment codes, and some Social Security numbers may have been exposed.

In mid-July, the Chicago Tribune reported that DMG faced network and phone outages that persisted for nearly a week. Investigations revealed that the outages were the result of a cybersecurity incident.

“While the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this inci­dent, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event,” DPG’s statement explained.

“As a result, a broad and inclu­sive list of patients whose infor­ma­tion may have been involved in this inci­dent are being noti­fied by DMG as a precaution.”

DMG found no evidence that any patient information was subject to misuse as a result of the breach, but the possibility has not been ruled out. Impacted patients will receive free credit monitoring and identity theft protection.

As a result of the incident, DMG said that it notified law enforcement and enhanced existing security procedures to prevent future data breaches.

“Infor­ma­tion secu­ri­ty is among DMG’s high­est pri­or­i­ties. Upon becom­ing aware of this inci­dent, we imme­di­ate­ly took steps to con­firm the secu­ri­ty of our sys­tems,” the statement continued.

“As part of our ongo­ing com­mit­ment to the secu­ri­ty of infor­ma­tion, we are review­ing exist­ing secu­ri­ty poli­cies and have imple­ment­ed addi­tion­al cyber­se­cu­ri­ty mea­sures to fur­ther pro­tect against sim­i­lar inci­dents from occur­ring in the future. In addi­tion, we noti­fied law enforce­ment and are sup­port­ing their inves­ti­ga­tion into this incident.”

The medical group does not yet ha