The lawsuit, filed on behalf of Rochelle Hestrup and Erin Peiss in DuPage County Circuit Court on Wednesday, alleges that DuPage Medical Group didn’t do enough to protect patients’ personal information and didn’t tell them quickly enough about the breach.
The plaintiffs are seeking damages, reimbursement of out-of-pocket costs and improvements to DuPage Medical Group’s data security systems, among other things.
DuPage Medical Group said in a statement Thursday that it had not yet been served with the lawsuit and would need time to analyze the allegations.
“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” DuPage Medical Group said in the statement.
The lawsuit alleges that DuPage Medical Group and its employees “failed to properly monitor the computer network and systems housing the private information.”
“As a direct result of the data breach, plaintiffs and class members have been exposed to a heightened and imminent risk of fraud and identity theft,” the complaint alleges.
DuPage Medical Group disclosed news of the breach Monday, saying that it was notifying 600,000 patients that their personal information may have been compromised.
In mid-July, the medical group experienced a computer and phone outage that lasted nearly a week. Following that outage, DuPage Medical Group worked with cyber-forensic specialists to investigate the incident and found that it was caused by “unauthorized actors” who accessed its network between July 12 and July 13, according to a DuPage Medical Group news release.
The investigators determined Aug. 17 that certain files containing patient information may have been exposed. Compromised information may have included names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates. For a small number of people, Social Security numbers may have been compromised.
Seth Meyer, a partner with Chicago-based law firm Keller Lenkner who is representing the plaintiffs, said the situation is especially threatening for patients because of the types of information that may have been compromised and because of the fact that the information was potentially exposed as part of a cyberattack, rather than by accident.
“This is the most sensitive type of information,” he said, noting affected patients will have to be vigilant to make sure their information isn’t being misused.
DuPage Medical Group has said it is offering free credit monitoring and identity theft protection services to patients who may be affected. It has also told people they could call 1-800-709-2027 for more information, but the lawsuit alleges that when Hestrup and Peiss called the number Sept. 1, they were not told whether they were affected by the breach, and to wait for a letter in the mail.
When asked why patients haven’t been able to get information by calling the number, DuPage Medical Group said in a statement Wednesday that if people don’t get the information they want through the call center, “their requests are provided to DMG to be addressed.” People whose information was not compromised in the breach will not receive letters, the medical group said.
© 2021 Chicago Tribune. Distributed by Tribune Content Agency, LLC.
