Protected Health Information Exposed in Large Cyberattack in IL

DuPage Medical Group (DMG), the largest independent physician group in Illinois, began notifying patients of a healthcare data breach that may have exposed protected health information (PHI).

Approximately 600,000 patients are being notified of the breach, according to the Chicago Tribune. If 600,000 individuals were affected, the breach may constitute the state’s largest reported healthcare cybersecurity incident of 2021 to date. The exact number of impacted individuals has not yet been posted on the Office for Civil Rights (OCR) data breach portal.

An unauthorized third party gained access to the group’s network between July 12 and July 13, 2021. On August 17, forensic analysis revealed that names, addresses, birthdates, CPT codes, treatment codes, and some Social Security numbers may have been exposed.

In mid-July, the Chicago Tribune reported that DMG faced network and phone outages that persisted for nearly a week. Investigations revealed that the outages were the result of a cybersecurity incident.

“While the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this inci­dent, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event,” DPG’s statement explained.

“As a result, a broad and inclu­sive list of patients whose infor­ma­tion may have been involved in this inci­dent are being noti­fied by DMG as a precaution.”

DMG found no evidence that any patient information was subject to misuse as a result of the breach, but the possibility has not been ruled out. Impacted patients will receive free credit monitoring and identity theft protection.

As a result of the incident, DMG said that it notified law enforcement and enhanced existing security procedures to prevent future data breaches.

“Infor­ma­tion secu­ri­ty is among DMG’s high­est pri­or­i­ties. Upon becom­ing aware of this inci­dent, we imme­di­ate­ly took steps to con­firm the secu­ri­ty of our sys­tems,” the statement continued.

“As part of our ongo­ing com­mit­ment to the secu­ri­ty of infor­ma­tion, we are review­ing exist­ing secu­ri­ty poli­cies and have imple­ment­ed addi­tion­al cyber­se­cu­ri­ty mea­sures to fur­ther pro­tect against sim­i­lar inci­dents from occur­ring in the future. In addi­tion, we noti­fied law enforce­ment and are sup­port­ing their inves­ti­ga­tion into this incident.”

The medical group does not yet have any information about the responsible bad actors, but law enforcement’s investigation is ongoing.

Also in Illinois, Metro Infectious Disease Consultants recently faced a healthcare data breach that impacted 171,000 patients when a third-party actor gained access to employee email accounts.

Hackers are increasingly turning their attention to outpatient facilities and business associates as larger hospital systems improve their cybersecurity efforts in light of recent attacks.

A recent study revealed that healthcare data breaches increased during the COVID-19 pandemic due to increased cyber vulnerabilities. The healthcare sector saw a 51 percent increase in data breaches in 2020 compared to 2019.

The pandemic created a perfect diversion for cyber criminals who can hack into a provider’s network as healthcare systems struggle to stay afloat during a period of global turmoil.