CHICAGO – Today, DuPage Medical Group (DMG) announced that it identified and addressed a data security incident, and is now notifying patients whose information may have been involved.
On July 13, 2021, DMG experienced a security incident that caused a disruption to its network systems. DMG immediately began working with third-party cyber-forensic specialists to assist in the investigation to determine the full nature and scope of the incident. Through the investigation, it was determined that the network outage was caused by unauthorized actors who gained access to the DMG network, between July 12, 2021, and July 13, 2021. With the assistance of the forensic specialists, DMG conducted a thorough and time-consuming review of its systems to understand whether any patient information may have been impacted as a result of this event. On August 17, 2021, we determined that certain files stored within our environment that contained patient information may have been impacted by this incident.
DMG is in the process of mailing letters to a broad and inclusive list of individuals directly whose information may be involved in this incident. The personal information potentially affected by this included names, addresses, dates of birth, diagnosis codes, CPT codes (Current Procedural Terminology, also known as service codes, are a universal system that identifies medical procedures), and treatment dates. For a small subset of individuals, social security numbers may also have been affected. To date, DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. This event did not impact financial account numbers.
While the investigation determined that only certain portions of the network were impacted by this event, DuPage Medical Group conducted an extensive and thorough investigation and could not rule out the possibility that files containing patients’ information may have been impacted by this event.
We take this incident seriously, and as an added precaution, DMG is offering credit monitoring and identify theft protection at no cost for those individuals affected and potentially affected by this incident. A dedicated call center has been established to help address questions. Additional information is available by calling the toll-free incident response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Monday through Friday, or by visiting www.dupagemedicalgroup.com.
The company has implemented additional cybersecurity measures and as part of DMG’s ongoing commitment to the security of information, is reviewing existing security policies to further protect against future incidents and improve our technology roadmap to better serve patients. Additional details regarding how individuals can protect their information is included below.
Steps You Can Take to Help Protect Personal Information
DMG encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor their credit reports and explanation of benefits forms for suspicious activity. DMG is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and security freezes on their credit files. The relevant contact information is below:
Equifax P.O. Box 105069 Atlanta, GA 30348 1−888−766−0008 | Experian P.O. Box 9554 Allen, TX 75013 1−888−397−3742 | TransUnion P.O. Box 2000 Chester, PA 19016 1−800−680−7289 |
Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1 – 877-ID-THEFT (1−877−438−4338); and TTY: 1−866−653−4261.
Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.