Medical Group: 655,000 Affected by 'Network Outage' BreachLarge Illinois Group Practice Says PHI Exposed
After suffering a network systems outage that lasted at least a week in July, DuPage Medical Group, the largest multispecialty group practice in Illinois, is now reporting a data breach affecting more than 655,000 individuals.
In a statement Tuesday, the suburban Chicago medical group says that on July 13, it experienced a security incident that caused a disruption to its network systems.
A cyber forensics investigation into the incident determined that the network outage had been caused by unauthorized actors who gained access to the medical group's network between July 12 and July 13, the statement says.
"With the assistance of the forensic specialists, DMG conducted a thorough and time-consuming review of its systems to understand whether any patient information may have been impacted as a result of this event," the medical group says.
On Aug.17, the investigation determined that certain files stored within DuPage Medical Group's environment that contained patient information may have been exposed. Information potentially affected includes names, addresses, dates of birth and diagnosis, procedure and service codes, the medical group acknowledges.
For a small subset of individuals, Social Security numbers may also have been affected, the statement says.
"DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. This event did not impact financial account numbers," the statement says.
Several local news outlets, including the Chicago Tribune, had previously reported that the security incident at the medical group, which led to patients having difficulty calling their doctors’ offices and accessing online medical records, began on July 13 and lasted at least a week.
DuPage Medical Group says it has implemented additional cybersecurity measures and is reviewing existing security policies to further protect against future incidents and improve "every aspect of our technology road map to better serve patients."
The medical group also says it reported the incident to law enforcement authorities and state and federal regulators.
A DuPage Medical Group spokeswoman declined Information Security Media Group's request for additional details about the incident, including whether ransomware had been involved.
The hacking incident was added on Wednesday to the Department of Health and Human Services' HIPAA Breach Reporting Tool website that lists health data breaches affecting 500 or more individuals.
Rash of Ransomware
That includes a breach at Wisconsin-based Forefront Dermatology S.C., which on July 8 reported to HHS OCR a ransomware attack affecting more than 2.4 million individuals.
Also, medical management services vendor Practicefirst Medical Management Solutions on July 1 reported a breach involving ransomware affecting 1.2 million individuals.
Among other noteworthy recent ransomware incidents in the healthcare sector was the attack on San Diego-based Scripps Health in May, which resulted in systems outages for nearly a month.
The California organization reported last month to financial regulators that the security incident had so far cost nearly $113 million, including $91.6 million in lost revenue. About $21 million is expected to be covered by insurance, the entity reported.
Several proposed class action lawsuits have also been filed against Scripps Health in the wake of that incident (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
"Based on the limited amount of information available, it certainly sounds like [the DMG incident] may have been a ransomware attack - and, statistically speaking, it’s by far the most likely explanation," says Brett Callow, a threat analyst at security firm Emsisoft.
"For perspective, at least 37 healthcare providers and systems have been affected by ransomware so far this year, with the incidents having potentially disrupted patient care at more than 900 hospitals and other facilities," he says. "Unfortunately, there’s no quick and easy solution to the ransomware problem, and all providers can do is batten the hatches by adhering to the best practices that are regularly promoted by bodies including CISA and the FBI."