DuPage Medical Group Informs Patients of Data Security Incident and Offers Support

August 30, 2021

CHICA­GO – Today, DuPage Med­ical Group (DMG) announced that it iden­ti­fied and addressed a data secu­ri­ty inci­dent, and is now noti­fy­ing patients whose infor­ma­tion may have been involved.

On July 13, 2021, DMG expe­ri­enced a secu­ri­ty inci­dent that caused a dis­rup­tion to its net­work sys­tems. DMG imme­di­ate­ly began work­ing with third-par­­ty cyber-foren­sic spe­cial­ists to assist in the inves­ti­ga­tion to deter­mine the full nature and scope of the inci­dent. Through the inves­ti­ga­tion, it was deter­mined that the net­work out­age was caused by unau­tho­rized actors who gained access to the DMG net­work, between July 12, 2021, and July 13, 2021. With the assis­tance of the foren­sic spe­cial­ists, DMG con­duct­ed a thor­ough and time-con­­sum­ing review of its sys­tems to under­stand whether any patient infor­ma­tion may have been impact­ed as a result of this event. On August 17, 2021, we deter­mined that cer­tain files stored with­in our envi­ron­ment that con­tained patient infor­ma­tion may have been impact­ed by this incident. 

DMG is in the process of mail­ing let­ters to a broad and inclu­sive list of indi­vid­u­als direct­ly whose infor­ma­tion may be involved in this inci­dent. The per­son­al infor­ma­tion poten­tial­ly affect­ed by this includ­ed names, address­es, dates of birth, diag­no­sis codes, CPT codes (Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy, also known as ser­vice codes, are a uni­ver­sal sys­tem that iden­ti­fies med­ical pro­ce­dures), and treat­ment dates. For a small sub­set of indi­vid­u­als, social secu­ri­ty num­bers may also have been affect­ed. To date, DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent. This event did not impact finan­cial account numbers. 

While the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this event, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event. 

We take this inci­dent seri­ous­ly, and as an added pre­cau­tion, DMG is offer­ing cred­it mon­i­tor­ing and iden­ti­fy theft pro­tec­tion at no cost for those indi­vid­u­als affect­ed and poten­tial­ly affect­ed by this inci­dent. A ded­i­cat­ed call cen­ter has been estab­lished to help address ques­tions. Addi­tion­al infor­ma­tion is avail­able by call­ing the toll-free inci­dent response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Mon­day through Fri­day, or by vis­it­ing www​.dupagemed​ical​group​.com.

The com­pa­ny has imple­ment­ed addi­tion­al cyber­se­cu­ri­ty mea­sures and as part of DMG’s ongo­ing com­mit­ment to the secu­ri­ty of infor­ma­tion, is review­ing exist­ing secu­ri­ty poli­cies to fur­ther pro­tect against future inci­dents and improve our tech­nol­o­gy roadmap to bet­ter serve patients. Addi­tion­al details regard­ing how indi­vid­u­als can pro­tect their infor­ma­tion is includ­ed below.

Steps You Can Take to Help Pro­tect Per­son­al Information

DMG encour­ages poten­tial­ly impact­ed indi­vid­u­als to remain vig­i­lant against inci­dents of iden­ti­ty theft and fraud, to review account state­ments and expla­na­tion of ben­e­fits forms, and to mon­i­tor their cred­it reports and expla­na­tion of ben­e­fits forms for sus­pi­cious activ­i­ty. DMG is pro­vid­ing poten­tial­ly impact­ed indi­vid­u­als with con­tact infor­ma­tion for the three major cred­it report­ing agen­cies, as well as pro­vid­ing advice on how to obtain free cred­it reports and how to place fraud alerts and secu­ri­ty freezes on their cred­it files. The rel­e­vant con­tact infor­ma­tion is below:

Equifax

P.O. Box 105069

Atlanta, GA 30348

1−888−766−0008

www​.equifax​.com

Exper­ian

P.O. Box 9554

Allen, TX 75013

1−888−397−3742

www​.exper​ian​.com

Tran­sUnion

P.O. Box 2000

Chester, PA 19016

1−800−680−7289

www​.tran​sunion​.com

Poten­tial­ly impact­ed indi­vid­u­als may also find infor­ma­tion regard­ing iden­ti­ty theft, fraud alerts, secu­ri­ty freezes and the steps they may take to pro­tect their infor­ma­tion by con­tact­ing the cred­it bureaus, the Fed­er­al Trade Com­mis­sion or their state Attor­ney Gen­er­al. The Fed­er­al Trade Com­mis­sion can be reached at: 600 Penn­syl­va­nia Avenue NW, Wash­ing­ton, DC 20580; www​.iden​ti​tytheft​.gov; 1 – 877-ID-THEFT (1−877−438−4338); and TTY: 1−866−653−4261.

Instances of known or sus­pect­ed iden­ti­ty theft should also be report­ed to law enforce­ment or the individual’s state Attor­ney General.