On August 30, 2021, Downers Grove, IL-based DuPage Medical Group announced it has been affected by a ransomware attack. DuPage is the largest independent physician group in Illinois and has more than 900 physicians that provide over 19,000 appointments a day.
Between July 12 and July 13, 2021, the group suffered a network outage, which was rapidly identified as a ransomware attack. The forensic investigation confirmed unauthorized individuals had gained access to parts of its network that contained patients’ protected health information.
A review of files potentially accessed and exfiltrated by the hackers was completed on August 17, 2021 and revealed the personal and protected health information of 655,384 individuals had been exposed, including information such as names, addresses, dates of birth, diagnosis codes and treatment dates, and for a limited number of individuals, Social Security numbers.
No evidence was obtained during the course of the investigation to suggest any data had been subject to actual or attempted misuse, but as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services for one year.
This was the largest healthcare data breach to be reported by an Illinois healthcare provider so far this year, and one of the largest healthcare ransomware attacks to date anywhere in the United States.
Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to issue notifications to patients within 60 days of discovering a data breach. Notifications were sent to affected individuals in late August.
“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” said DuPage Medical Group in a statement.
Ransomware attacks have plagued the healthcare industry over the past two years, and attacks have increased in 2021. It is now common for data to be exfiltrated prior to ransomware being used to encrypt files and healthcare data is held to ransom. Payment demands are issued not only for the keys to decrypt ransomware-encrypted data, but also to prevent the publication or sale of patient data. It is unclear whether DuPage Medical Group paid the ransom and if patient data were in fact exfiltrated prior to data encryption.
There is also a growing trend for patients to take legal action against healthcare providers that have suffered ransomware attacks, and this incident is no exception. Just a few days after notification letters were sent, two patients took legal action against DuPage Medical Group.
The lawsuit seeks class action status and alleges DuPage Medical Group was negligent for failing to prevent the ransomware attack and, despite sending notification letters to patients promptly, has been accused of not providing notifications quickly enough.
The lawsuit alleges patients now face an elevated risk of suffering identity theft and must now spend time and money protecting themselves against fraud. The lawsuit seeks damages, reimbursement of out-of-pocket costs, legal costs, and for improvements to be made to its security systems to better protect patient data.