DuPage Medical Group Faces Lawsuit After Cyberattack Impacts 600K

Illinois-based DuPage Medical Group (DMG) is facing a lawsuit just a few days after it notified over 600,000 patients of a cyberattack that may have compromised protected health information (PHI).

The two patients who filed the suit are seeking class-action status and alleged that DuPage Medical Group did not do enough to prevent the cyberattack and delayed telling patients about the breach, according to a report published by the Chicago Tribune.

DMG discovered the cyberattack on July 13 and determined that an unauthorized third party gained access to its network. DMG experienced network and phone outages for nearly a week.

The medical group began notifying patients of the incident in late August, after discovering on August 17 that the exposed information included patient names, Social Security numbers, addresses, birthdates, CPT codes, and treatment codes.

“While the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this inci­dent, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event,” DPG’s initial statement explained.

“As a result, a broad and inclu­sive list of patients whose infor­ma­tion may have been involved in this inci­dent are being noti­fied by DMG as a precaution.”

The plaintiffs are seeking damages, improvements to DMG’s data security systems, and reimbursement for out-of-pocket costs.

In a statement obtained by the Chicago Tribune, DuPage said that it had not yet been served with the lawsuit and needs time to analyze the allegations.

“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” DuPage Medical Group explained in the statement.

The plaintiffs alleged that DMG failed to monitor its computer network and that the breach resulted in a high risk of identify theft and fraud for the class members.

DMG stated that it had no evidence that any information was misused, but the possibility could not be ruled out. The medical group will provide free credit monitoring and identity theft protection.

As ransomware groups claim more victims, large and small hospital systems and business associates have been urged to improve cybersecurity efforts and educate employees on common cyber threats.

A recent study found that while hospitals achieved significantly lower cybersecurity ratings compared to Fortune 1000 firms from 2014 to 2016, healthcare providers have been slowly closing the gap ever since. By 2017, researchers found that the gap between hospital cybersecurity ratings and those of other industries was no longer statistically significant.

Despite this optimistic finding, hospitals remain significantly more vulnerable to cyber threats than most other industries. Hospitals arguably also have the most to lose. Data breaches can result in compromised PHI, EHR downtime, and even risks to patient safety.