DuPage Medical Group Faces Lawsuit for July 2021 Ransomware Attack

Two DuPage Medical Group patients are filing a lawsuit against the healthcare company subsequent to a July 2021 ransomware attack whereby patients’ protected health information (PHI) was exposed.

DuPage Medical Group encountered a ransomware attack in the middle of July. The forensic investigation confirmed unauthorized people had acquired access to its computer system between July 12 and July 13, and used ransomware to try to extort cash. The attack resulted in a serious computer and telephone outage that continued for approximately one week.

On August 17, the forensic investigators established hackers had obtained access to sections of the computer network that stored the PHI of 655,384 patients, and likely accessed or acquired patient names, dates of birth, addresses, diagnosis codes, treatment dates, and clinical procedure codes. The Social Security numbers of a number of patients were likewise potentially breached.

The medical group began delivering notification letters to affected patients in the latter part of August. When sending notices, DuPage Medical Group explained it did not know of any actual or attempted patient information misuse, although the likelihood cannot be eliminated. The impacted patients got complimentary credit monitoring and identity theft protection services.

On September 1, 2021, Erin Peiss And Rochelle Hestrup filed the lawsuit in DuPage County Circuit Court, just a couple of days after the healthcare service provider mailed notification letters to patients. The lawsuit claims DuPage Medical Group did not employ suitable defenses to safeguard against ransomware attacks and that it didn’t keep track of its computer system comprising patient data. The lawsuit furthermore states DuPage Medical Group failed to advise patients fast enough, though notification letters were sent within the 60-day time frame of the HIPAA Breach Notification Rule.

The legal case claims, due to the data breach, plaintiffs and class members were subjected to a higher and forthcoming threat of fraud and identity theft. The legal action wants class-action status and the plaintiffs would like damages, compensation of out-of-pocket costs, and call for DuPage Medical Group to make enhancements to its security programs to better secure sensitive patient information.

DuPage Medical Group stated in a Chicago Tribune report that the medical group continues to be dedicated to information safety, and even though they are uninformed currently of any attempted or actual data misuse, they know the problem that this probable access causes.