Personal information belonging to 600,000 patients of DuPage Medical Group may have been compromised following a cybersecurity attack on the healthcare provider’s network.
While no evidence suggests actual or attempted misuse, DMG is mailing letters to a broad and inclusive list of individuals directly. Among the possible information affected are names, addresses, dates of birth, diagnosis codes, CPT codes and treatment dates, as well as social security numbers for a smaller subset of patients. Financial account numbers were not impacted, DMG stresses.
The incident is the largest reported cybersecurity incident involving a healthcare entity in Illinois this year, according to the Chicago Tribune.
“The company has implemented additional cybersecurity measures, and as part of DMG’s ongoing commitment to the security of information, is reviewing existing security policies to further protect against future incidents and improve our technology roadmap to better serve patients,” said the provider in a statement.
An independent, multispecialty physician group, DMG has more than 750 physicians and 120 Chicagoland locations. Unauthorized actors accessed its network between July 12 and July 13 and caused a network outage that affected computers and phones for nearly a week, according to the Tribune. Working with third-party cyber-forensic specialists, DMG investigated and determined on August 17 that parts of the network were affected and that certain files with patient information may have been impacted.
The provider is offering free credit monitoring and identity theft protection to those affected and potentially affected by the incident, and has set up a dedicated call center to answer questions. It is encouraging individuals to review account statements and explanation of benefits forms, and to monitor credit reports for suspicious activity.
Just prior to the incident, another took place in Las Vegas, in which the notorious hacker group, REvil, posted on its website images of Nevada driver’s licenses, passports and social security numbers belonging to patients at University Medical Center. The identities of the unauthorized actors at DMG were not revealed.
At least 21 other organizations in Illinois have experienced data breaches of protected health information belonging to 500 or more individuals this year, reports the Tribune. It adds that because more than 500 patients may have been impacted, DMG will have to report the incident to the U.S. Department of Health and Human Services within 60 days of discovering the breach, as well as to a prominent media outlet.
A report by CynergisTek in 2020 found that out of 1,000 hospitals and healthcare systems, only 44% met national standards for cybersecurity and had conformed to protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). Scores in some cases dated as far back as 2017.
The COVID-19 pandemic has only furthered these challenges, according to Axel Wirth, chief security strategist for MedCrypt. He says the adoption of telehealth, increase in consumerization, intellectual property protection and greater need for surge preparedness will force providers to rethink how they view and implement cybersecurity protection going forward.
“In order to utilize the promise of IT-enhanced care delivery we will need to recognize the new and increasing cyber risks and will need to develop a proactive approach to address them,” he said.