Lawsuit filed against DuPage Medical Group after cyberattack that may have compromised patient data
Two patients have filed a lawsuit seeking class-action status against DuPage Medical Group just days after the physicians’ group said it was notifying 600,000 patients that their personal information may have been compromised during a July cyberattack.
The lawsuit, filed on behalf of Rochelle Hestrup and Erin Peiss in DuPage County Circuit Court on Wednesday, alleges that DuPage Medical Group didn’t do enough to protect patients’ personal information and didn’t tell them quickly enough about the breach.
The plaintiffs are seeking damages, reimbursement of out-of-pocket costs and improvements to DuPage Medical Group’s data security systems, among other things.
The lawsuit alleges that DuPage Medical Group and its employees “failed to properly monitor the computer network and systems housing the private information.”
“As a direct result of the data breach, plaintiffs and class members have been exposed to a heightened and imminent risk of fraud and identity theft,” the complaint alleges.
DuPage Medical Group did not immediately respond to a request for comment Thursday afternoon.
DuPage Medical Group disclosed news of the breach Monday, saying that it was notifying 600,000 patients that their personal information may have been compromised.
In mid-July, the medical group experienced a computer and phone outage that lasted nearly a week. Following that outage, DuPage Medical Group worked with cyber-forensic specialists to investigate the incident and found that it was caused by “unauthorized actors” who accessed its network between July 12 and July 13, according to a DuPage Medical Group news release.
The investigators determined Aug. 17 that certain files containing patient information may have been exposed. Compromised information may have included names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates. For a small number of people, Social Security numbers may have been compromised.
The medical group said in a news release earlier this week it was not aware of any patient’s personal information being misused because of the breach.
DuPage Medical Group has said it is offering credit monitoring and identity theft protection to patients who may be affected. It also told people they could call 1-800-709-2027 for more information, but the lawsuit alleges that when Hestrup and Peiss called the number Sept. 1, they were not told whether they were affected by the breach, and to wait for a letter in the mail.
When asked why patients haven’t been able to get information by calling the number, DuPage Medical Group said in a statement Wednesday that if people don’t get the information they want through the call center, “their requests are provided to DMG to be addressed.” People whose information was not compromised in the breach will not receive letters, the medical group said.
