IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ill. Health-Care Group Informs 600K Patients of Data Breach

DuPage Medical Group, the biggest independent physicians group in Illinois, told 600,000 patients that their data may have been stolen by criminals. Cyber attacks have become common for health-care organizations.

DuPage Medical Group - use once only
DuPage Medical Group, the state’s largest independent physicians group, had the records of 600,000 patients exposed to unauthorized people during a July security breach.
Quan Truong/Chicago Tribune
(TNS) — DuPage Medical Group is notifying 600,000 patients that their personal information may have been compromised during a July cyber attack.

DuPage Medical Group, which is the state’s largest independent physicians group, experienced a computer and phone outage that lasted nearly a week in mid-July. The group worked with cyber forensic specialists to investigate the incident and found that the outage was caused by “unauthorized actors” who accessed its network between July 12 and July 13, according to a DuPage Medical Group news release.

The investigators determined Aug. 17 that certain files containing patient information may have been exposed. Compromised information may have included names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates. For a small number of people, Social Security numbers may have been compromised.

The medical group is not aware of any patient’s personal information being misused because of the breach, it said in the news release.

“The health care sector is under attack by cyber criminals who have no regard for the health or well-being of others,” Steve Nelson, CEO of DuPage Medical Group, said in a statement. “Our physicians and team members have worked tirelessly to provide personalized care for our patients, despite facing significant challenges.”

DuPage Medical Group is offering credit monitoring and identity theft protection to patients who may be affected. People can also call 1-800-709-2027 between the hours of 8 a.m. and 8 p.m., Monday through Friday, or visit for additional information.

DuPage Medical Group has implemented additional cybersecurity measures and is reviewing security policies, it said in the news release.

Cybersecurity incidents at health care organizations have become common in recent years. So far this year, 21 other organizations in Illinois have reported data breaches affecting at least 500 people, according to the U.S. Department of Health and Human Services Office for Civil Rights.

If 600,000 individuals were affected by the DuPage Medical Group attack, that would be the largest breach in Illinois so far this year by about threefold, based on information reported to the U.S. Department of Health and Human Services.

Federal regulations require organizations to report data breaches of protected health information involving 500 or more people to the U.S. Department of Health and Human Services within 60 days. They also must notify anyone whose data may have been compromised.

Significant cybersecurity incidents are now “the norm” at health care organizations, according to the 2020 Healthcare Information and Management Systems Society Cybersecurity Survey. About 70% of 168 health care cybersecurity professionals surveyed in the U.S. reported having a “significant security incident” in the last 12 months, according to the survey.

Those who responded to the survey indicated that phishing attacks were the most common type of cybersecurity incident. Phishing is when scammers send fraudulent emails or text messages to people to try to trick them into revealing personal information, company information or downloading malware.

©2021 Chicago Tribune. Distributed by Tribune Content Agency, LLC.