DuPage Medical Group began notifying 600K patients that their protected health information may have been compromised in a cyberattack that resulted in network and phone outages.
By Jill McKeon
September 01, 2021 - DuPage Medical Group (DMG), the largest independent physician group in Illinois, began notifying patients of a healthcare data breach that may have exposed protected health information (PHI).
Approximately 600,000 patients are being notified of the breach, according to the Chicago Tribune. If 600,000 individuals were affected, the breach may constitute the state’s largest reported healthcare cybersecurity incident of 2021 to date. The exact number of impacted individuals has not yet been posted on the Office for Civil Rights (OCR) data breach portal.
An unauthorized third party gained access to the group’s network between July 12 and July 13, 2021. On August 17, forensic analysis revealed that names, addresses, birthdates, CPT codes, treatment codes, and some Social Security numbers may have been exposed.
In mid-July, the Chicago Tribune reported that DMG faced network and phone outages that persisted for nearly a week. Investigations revealed that the outages were the result of a cybersecurity incident.
“While the investigation determined that only certain portions of the network were impacted by this incident, DuPage Medical Group conducted an extensive and thorough investigation and could not rule out the possibility that files containing patients’ information may have been impacted by this event,” DPG’s statement explained.
“As a result, a broad and inclusive list of patients whose information may have been involved in this incident are being notified by DMG as a precaution.”
DMG found no evidence that any patient information was subject to misuse as a result of the breach, but the possibility has not been ruled out. Impacted patients will receive free credit monitoring and identity theft protection.
As a result of the incident, DMG said that it notified law enforcement and enhanced existing security procedures to prevent future data breaches.
“Information security is among DMG’s highest priorities. Upon becoming aware of this incident, we immediately took steps to confirm the security of our systems,” the statement continued.
“As part of our ongoing commitment to the security of information, we are reviewing existing security policies and have implemented additional cybersecurity measures to further protect against similar incidents from occurring in the future. In addition, we notified law enforcement and are supporting their investigation into this incident.”
The medical group does not yet ha