A DuPage Medical Group data breach may have affected 600,000 patients. Here’s what patients should know.
DuPage Medical Group revealed Monday that the personal information of 600,000 patients may have been compromised in a July cyberattack.
Though that’s the largest reported health-related cybersecurity incident in Illinois so far this year, such breaches are now common. Here’s what patients at DuPage, and elsewhere, should know about breaches and cyberattacks in health care.
Q: What happened at DuPage Medical Group?
A: DuPage Medical Group, the state’s largest independent physicians group, experienced a computer and phone outage that lasted nearly a week in mid-July. The group worked with cyber-forensic specialists to investigate the incident and found that the outage was caused by “unauthorized actors” who accessed its network between July 12 and July 13, according to a DuPage Medical Group news release.
The investigators determined Aug. 17 that certain files containing patient information may have been exposed. Compromised information may have included names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures, and treatment dates. For a small number of people, Social Security numbers may have been compromised.
Q: Have any DuPage patients had their information stolen or used fraudulently as a result?
A: The medical group is not aware of any patients’ personal information being misused, but it is notifying “a broad and inclusive list of patients whose information may have been involved in this incident as a precaution,” CEO Steve Nelson said in a statement.
Q: What should potentially affected patients do?
A: DuPage is offering credit monitoring and identify theft protection to those who may have been affected. Patients can also call 1-800-709-2027 between the hours of 8 a.m. and 8 p.m., Monday through Friday, or visit www.dupagemedicalgroup.com for additional information.
Q: How common are data breaches at health care organizations?
A: Significant cybersecurity incidents are now “the norm” at health care organizations, according to the 2020 Healthcare Information and Management Systems Society Cybersecurity Survey. About 70% of 168 health care cybersecurity professionals surveyed in the U.S. reported having a “significant security incident” in the last 12 months, according to the survey.
Q: How many health organizations have had data breaches in Illinois?
A: So far this year, at least 21 other organizations in Illinois have reported data breaches of protected health information involving 500 or more individuals.
Q: How do I know if my protected health information has been compromised in a data breach?
A: Federal regulations require health care organizations to notify individuals if their protected health information may have been exposed. They are also required to report information about data breaches of protected health information involving 500 or more people to the U.S. Department of Health and Human Services within 60 days of discovering the breach, and they are required to report breaches to a prominent media outlet. Breaches involving fewer than 500 people are supposed to be reported to the department within 60 days of the end of the calendar year in which the breach was discovered.
You can find a list of breaches involving protected health information in Illinois and across the country here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
Q: Are there other steps I should take if my information is exposed?
A: If your Social Security number has been exposed, the Federal Trade Commission recommends taking advantage of any free credit monitoring offered by the organization that experienced the breach. You can also get free credit reports at annualcreditreport.com to check for unusual activity. You ma want to consider placing a free credit freeze, which makes it more difficult for someone to open a new account in your name.
Q: How do I know if someone is fraudulently using my medical information?
A: Watch for warning signs such as getting a bill from your doctor for services you didn’t receive or seeing services and medications you didn’t receive included in the explanation of benefits documents you receive from your insurance company, according to the FTC.
You can request your medical records and examine them for problems.
If you see errors in your medical records, report them to your health care provider in writing, including a copy of the erroneous medical record. Your health care provider must respond to your request within 30 days and notify other health care providers who may have the same mistake in their records, according to the FTC.
