Two DuPage Medical Group patients are taking legal action against the healthcare provider right after a July 2021 ransomware attack through which patients’ protected health information (PHI) was compromised.
DuPage Medical Group experienced the ransomware attack in mid-July. The forensic investigation established unauthorized persons had acquired access to its computer network from July 12 to July 13, and employed ransomware in an effort to extort money. The attack brought about a big computer and phone outage that persisted for about a week.
On August 17, the forensic investigators affirmed hackers had obtained access to portions of the computer system that kept the protected health information of 655,384 patients, and possibly viewed or gotten patient names, birth dates, addresses, diagnosis codes, treatment dates and medical procedure codes. The Social Security numbers of some patients were also potentially exposed.
The medical group started sending notification letters to affected patients in late August. During the time of issuing notifications, DuPage Medical Group stated it was not aware of any actual or attempted patient data misuse, although the probability can’t be ruled out. The affected patients received free credit monitoring and identity theft protection services.
The lawsuit was filed in DuPage County Circuit Court on behalf of Rochelle Hestrup and Erin Peiss on September 1, 2021, only a few days after the healthcare company mailed breach notification letters to patients. The lawsuit claims DuPage Medical Group failed to implement proper defenses to safeguard against ransomware attacks and that it did not monitor its computer network that contains patient records. The lawsuit additionally states DuPage Medical Group didn’t inform patients quickly enough, though notification letters were sent well inside the 60-day deadline of the HIPAA Breach Notification Rule.
The lawsuit states, because of the data breach, plaintiffs and class members were exposed to an increased and impending risk of fraud and identity theft. The legal action seeks class-action status and the plaintiffs are seeking damages, repayment of out-of-pocket expenditures, and want DuPage Medical Group to make changes to its security applications to better secure sensitive patient data.
DuPage Medical Group said in a Chicago Tribune report that the company is still committed to information privacy, and though they are not aware at the moment of any attempted or actual information misuse, they understand the issue that this possible access causes.