Notice of Data Security Incident

On July 13, 2021, DMG experienced a security incident that caused a disruption to its network systems. DMG immediately began working with third-party cyber-forensic specialists to assist in the investigation to determine the full nature and scope of the incident. Through the investigation, it was determined that the network outage was caused by unauthorized actors who gained access to the DMG network, between July 12, 2021, and July 13, 2021. With the assistance of the forensic specialists, DMG conducted a thorough and time-consuming review of its systems to understand whether any patient information that may have been impacted as a result of this event. On August 17, 2021, we determined that certain files stored within our environment that contained patient information may have been impacted by this event.

DMG is in the process of mailing letters to a broad and inclusive list of individuals directly whose information may be involved in this incident. The personal information potentially affected by this included names, addresses, dates of birth, diagnosis codes, CPT codes (Current Procedural Terminology, also known as service codes, are a universal system that identifies medical procedures), and treatment dates. For a small subset of individuals social security numbers may also have been affected. DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. This event did not impact financial account numbers.

While the investigation determined that only certain portions of the network were impacted by this incident, DuPage Medical Group conducted an extensive and thorough investigation and could not rule out the possibility that files containing patients’ information may have been impacted by this event. As a result, a broad and inclusive list of patients whose information may have been involved in this incident are being notified by DMG as a precaution.

Although DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident, we understand that individuals may have concerns and as an added precaution, DMG is offering credit monitoring and identify theft protection at no cost for those individuals affected and potentially affected by this incident. A dedicated call center has been established to help address questions about this incident. Additional information is available by calling the toll-free incident toll-free incident response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Monday through Friday.

The company has implemented additional cybersecurity measures and as part of DMG’s ongoing commitment to the security of information, is reviewing existing security policies to further protect against future incidents and improve every aspect of our technology roadmap to better serve patients. Additional details regarding how individuals can protect their information, should they feel it appropriate to do so, is included below.

Frequently Asked Questions (FAQs)

Q. What happened?

On July 13, 2021, DuPage Medical Group experienced a security incident that caused a disruption to our network systems. We immediately began working with third-party cyber-forensic specialists to assist in our investigation to determine the full nature and scope of the incident. It was determined that the network outage was caused by unauthorized actors who gained access to the DMG network between July 12, 2021 and July 13, 2021.

Through the investigation, it was determined that certain systems containing information related to patients may have also been impacted by this event. DMG, with the assistance of the forensic specialists, conducted a thorough and time-consuming review of its systems to determine whether any patient information that may have been impacted as a result of this event. On August 17, 2021, we discovered that certain files stored within our environment that contained patient information may have been impacted by this event.

Once it was determined that personal information was potentially involved in this incident, DuPage Medical Group moved quickly to notify those individuals and government regulators, in accordance with applicable law. DMG is in the process of mailing letters notifying patients directly whose information may be involved in this incident and established a dedicated, toll-free call center to help answer patient questions.

To date, DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. DMG’s review of information is ongoing, however and encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors. Credit monitoring and identify theft protection is being offered at no cost through Equifax to those individuals affected and potentially affected by this incident.

Q. When did DMG learn of this incident?

On July 13, 2021, DMG first learned of the suspicious activity and immediately took steps to address the situation.

Q. When did the incident occur?

Q. What information/data was involved?

The information impacted potentially includes names, addresses, dates of birth, diagnosis codes, CPT codes, and treatment dates for certain patients. Current Procedural Terminology, also known as service codes, are a universal system that identifies medical procedures. DMG’s review of information is ongoing, however, to date, there is no indication that any of personal information has been subject to actual or attempted misuse as a result of this incident. This incident also impacted Social Security numbers for a subset of patients. DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. This event did not impact financial account numbers. Affected individuals are being notified by DMG by mail and the specific information impacted for individuals will be present in the letter.

In addition, while the investigation determined that only certain portions of the network were impacted by this event, DuPage Medical Group conducted an extensive and thorough investigation and could not rule out the possibility that files containing patients’ information may have been impacted by this event. As a result, a broad and inclusive list of patients whose information may have been involved in this incident are being notified by DMG as a precaution.

Q. How can I find out if my information may have been affected by this incident?

Affected individuals are being notified by DMG by mail and we are in the process of mailing notice letters to patients whose information may be involved. If your information was involved, we expect that you will receive your letter soon. However, if you would like to understand if your information may have been affected sooner, you may call DMG’s toll-free incident toll-free incident response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Monday through Friday.

Q. Has my information been misused?

There is no indication of any actual or attempted misuse of your information. We wanted to provide you with information about the incident, our response, and steps you may take to better protect against the possibility of identity theft and fraud, should you feel it necessary.

Q. What support and protection is DMG offering to affected individuals?

We share in the frustration and concern this incident may have caused you. Although DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident, we understand that individuals may have concerns and as an added precaution, DMG is offering credit monitoring and identify theft protection at no cost through Equifax to those individuals affected and potentially affected by this incident. A dedicated call center has been established to help address questions about this incident. Additional information is available by calling the toll-free incident toll-free incident response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Monday through Friday.

Q. Have you notified law enforcement?

Yes, we notified law enforcement and are supporting their investigation into this incident.

Q. Who are the unauthorized actors/parties responsible for this incident?

We reported this matter to law enforcement and are supporting their investigation into this incident. We are unable to provide any additional information.

Q. How do you know the systems are safe now?

Information security is among DMG’s highest priorities. Upon becoming aware of this incident, we immediately took steps to confirm the security of our systems. As part of our ongoing commitment to the security of information, we are reviewing existing security policies and have implemented additional cybersecurity measures to further protect against similar incidents from occurring in the future. In addition, we notified law enforcement and are supporting their investigation into this incident.

Q. What did DMG do in response to this incident?

DMG takes the security of personal information in its care seriously. Upon learning of this incident, DMG moved quickly to assess and address the security of its systems, notify law enforcement and potentially impacted individuals. As part of its ongoing commitment to information security, DMG is also reviewing and enhancing existing policies and procedures. DMG also reported this incident to state and federal regulators.

Q. What steps can I take to protect my information?

DMG encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor their credit reports and explanation of benefits forms for suspicious activity. DMG is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and security freezes on their credit files. The relevant contact information is below:

Equifax

P.O. Box 105069

Atlanta, GA 30348

1−888−766−0008

www.equifax.com

Experian

P.O. Box 9554

Allen, TX 75013

1−888−397−3742

www.experian.com

TransUnion

P.O. Box 2000

Chester, PA 19016

1−800−680−7289

www.transunion.com

Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1 – 877-ID-THEFT (1−877−438−4338); and TTY: 1−866−653−4261.

Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.

Notice of Data Security Incident

Fre­quent­ly Asked Ques­tions (FAQs)

Q. What happened?

Q. When did DMG learn of this incident?

Q. When did the inci­dent occur?

Q. What information/​data was involved?

Q. How can I find out if my infor­ma­tion may have been affect­ed by this incident?

Q. Has my infor­ma­tion been misused?

Q. What sup­port and pro­tec­tion is DMG offer­ing to affect­ed individuals?

Q. Have you noti­fied law enforcement?

Q. Who are the unau­tho­rized actors/​parties respon­si­ble for this incident?

Q. How do you know the sys­tems are safe now?