Notice of Data Security Incident

On July 13, 2021, DMG expe­ri­enced a secu­ri­ty inci­dent that caused a dis­rup­tion to its net­work sys­tems. DMG imme­di­ate­ly began work­ing with third-par­ty cyber-foren­sic spe­cial­ists to assist in the inves­ti­ga­tion to deter­mine the full nature and scope of the inci­dent. Through the inves­ti­ga­tion, it was deter­mined that the net­work out­age was caused by unau­tho­rized actors who gained access to the DMG net­work, between July 12, 2021, and July 13, 2021. With the assis­tance of the foren­sic spe­cial­ists, DMG con­duct­ed a thor­ough and time-con­sum­ing review of its sys­tems to under­stand whether any patient infor­ma­tion that may have been impact­ed as a result of this event. On August 17, 2021, we deter­mined that cer­tain files stored with­in our envi­ron­ment that con­tained patient infor­ma­tion may have been impact­ed by this event.

DMG is in the process of mail­ing let­ters to a broad and inclu­sive list of indi­vid­u­als direct­ly whose infor­ma­tion may be involved in this inci­dent. The per­son­al infor­ma­tion poten­tial­ly affect­ed by this includ­ed names, address­es, dates of birth, diag­no­sis codes, CPT codes (Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy, also known as ser­vice codes, are a uni­ver­sal sys­tem that iden­ti­fies med­ical pro­ce­dures), and treat­ment dates. For a small sub­set of indi­vid­u­als social secu­ri­ty num­bers may also have been affect­ed. DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent. This event did not impact finan­cial account numbers.

While the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this inci­dent, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event. As a result, a broad and inclu­sive list of patients whose infor­ma­tion may have been involved in this inci­dent are being noti­fied by DMG as a precaution.

Although DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent, we under­stand that indi­vid­u­als may have con­cerns and as an added pre­cau­tion, DMG is offer­ing cred­it mon­i­tor­ing and iden­ti­fy theft pro­tec­tion at no cost for those indi­vid­u­als affect­ed and poten­tial­ly affect­ed by this inci­dent. A ded­i­cat­ed call cen­ter has been estab­lished to help address ques­tions about this inci­dent. Addi­tion­al infor­ma­tion is avail­able by call­ing the toll-free inci­dent toll-free inci­dent response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Mon­day through Friday.

The com­pa­ny has imple­ment­ed addi­tion­al cyber­se­cu­ri­ty mea­sures and as part of DMG’s ongo­ing com­mit­ment to the secu­ri­ty of infor­ma­tion, is review­ing exist­ing secu­ri­ty poli­cies to fur­ther pro­tect against future inci­dents and improve every aspect of our tech­nol­o­gy roadmap to bet­ter serve patients. Addi­tion­al details regard­ing how indi­vid­u­als can pro­tect their infor­ma­tion, should they feel it appro­pri­ate to do so, is includ­ed below.


Fre­quent­ly Asked Ques­tions (FAQs)

Q. What happened?

On July 13, 2021, DuPage Med­ical Group expe­ri­enced a secu­ri­ty inci­dent that caused a dis­rup­tion to our net­work sys­tems. We imme­di­ate­ly began work­ing with third-par­ty cyber-foren­sic spe­cial­ists to assist in our inves­ti­ga­tion to deter­mine the full nature and scope of the inci­dent. It was deter­mined that the net­work out­age was caused by unau­tho­rized actors who gained access to the DMG net­work between July 12, 2021 and July 13, 2021.

Through the inves­ti­ga­tion, it was deter­mined that cer­tain sys­tems con­tain­ing infor­ma­tion relat­ed to patients may have also been impact­ed by this event. DMG, with the assis­tance of the foren­sic spe­cial­ists, con­duct­ed a thor­ough and time-con­sum­ing review of its sys­tems to deter­mine whether any patient infor­ma­tion that may have been impact­ed as a result of this event. On August 17, 2021, we dis­cov­ered that cer­tain files stored with­in our envi­ron­ment that con­tained patient infor­ma­tion may have been impact­ed by this event.

Once it was deter­mined that per­son­al infor­ma­tion was poten­tial­ly involved in this inci­dent, DuPage Med­ical Group moved quick­ly to noti­fy those indi­vid­u­als and gov­ern­ment reg­u­la­tors, in accor­dance with applic­a­ble law. DMG is in the process of mail­ing let­ters noti­fy­ing patients direct­ly whose infor­ma­tion may be involved in this inci­dent and estab­lished a ded­i­cat­ed, toll-free call cen­ter to help answer patient questions.

To date, DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent. DMG’s review of infor­ma­tion is ongo­ing, how­ev­er and encour­ages poten­tial­ly impact­ed indi­vid­u­als to remain vig­i­lant against inci­dents of iden­ti­ty theft and fraud by review­ing your account state­ments and mon­i­tor­ing your free cred­it reports for sus­pi­cious activ­i­ty and to detect errors. Cred­it mon­i­tor­ing and iden­ti­fy theft pro­tec­tion is being offered at no cost through Equifax to those indi­vid­u­als affect­ed and poten­tial­ly affect­ed by this incident.

Q. When did DMG learn of this incident?

On July 13, 2021, DMG first learned of the sus­pi­cious activ­i­ty and imme­di­ate­ly took steps to address the situation.

Q. When did the inci­dent occur?

On July 13, 2021, DuPage Med­ical Group expe­ri­enced a secu­ri­ty inci­dent that caused a dis­rup­tion to our net­work sys­tems. We imme­di­ate­ly began work­ing with third-par­ty cyber-foren­sic spe­cial­ists to assist in our inves­ti­ga­tion to deter­mine the full nature and scope of the inci­dent. It was deter­mined that the net­work out­age was caused by unau­tho­rized actors who gained access to the DMG net­work between July 12, 2021 and July 13, 2021.

Q. What information/​data was involved?

The infor­ma­tion impact­ed poten­tial­ly includes names, address­es, dates of birth, diag­no­sis codes, CPT codes, and treat­ment dates for cer­tain patients. Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy, also known as ser­vice codes, are a uni­ver­sal sys­tem that iden­ti­fies med­ical pro­ce­dures. DMG’s review of infor­ma­tion is ongo­ing, how­ev­er, to date, there is no indi­ca­tion that any of per­son­al infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent. This inci­dent also impact­ed Social Secu­ri­ty num­bers for a sub­set of patients. DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent. This event did not impact finan­cial account num­bers. Affect­ed indi­vid­u­als are being noti­fied by DMG by mail and the spe­cif­ic infor­ma­tion impact­ed for indi­vid­u­als will be present in the letter.

In addi­tion, while the inves­ti­ga­tion deter­mined that only cer­tain por­tions of the net­work were impact­ed by this event, DuPage Med­ical Group con­duct­ed an exten­sive and thor­ough inves­ti­ga­tion and could not rule out the pos­si­bil­i­ty that files con­tain­ing patients’ infor­ma­tion may have been impact­ed by this event. As a result, a broad and inclu­sive list of patients whose infor­ma­tion may have been involved in this inci­dent are being noti­fied by DMG as a precaution.

Q. How can I find out if my infor­ma­tion may have been affect­ed by this incident?

Affect­ed indi­vid­u­als are being noti­fied by DMG by mail and we are in the process of mail­ing notice let­ters to patients whose infor­ma­tion may be involved. If your infor­ma­tion was involved, we expect that you will receive your let­ter soon. How­ev­er, if you would like to under­stand if your infor­ma­tion may have been affect­ed soon­er, you may call DMG’s toll-free inci­dent toll-free inci­dent response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Mon­day through Friday.

Q. Has my infor­ma­tion been misused?

There is no indi­ca­tion of any actu­al or attempt­ed mis­use of your infor­ma­tion. We want­ed to pro­vide you with infor­ma­tion about the inci­dent, our response, and steps you may take to bet­ter pro­tect against the pos­si­bil­i­ty of iden­ti­ty theft and fraud, should you feel it necessary.

Q. What sup­port and pro­tec­tion is DMG offer­ing to affect­ed individuals?

We share in the frus­tra­tion and con­cern this inci­dent may have caused you. Although DMG has no evi­dence that any infor­ma­tion has been sub­ject to actu­al or attempt­ed mis­use as a result of this inci­dent, we under­stand that indi­vid­u­als may have con­cerns and as an added pre­cau­tion, DMG is offer­ing cred­it mon­i­tor­ing and iden­ti­fy theft pro­tec­tion at no cost through Equifax to those indi­vid­u­als affect­ed and poten­tial­ly affect­ed by this inci­dent. A ded­i­cat­ed call cen­ter has been estab­lished to help address ques­tions about this inci­dent. Addi­tion­al infor­ma­tion is avail­able by call­ing the toll-free inci­dent toll-free inci­dent response line at 1−800−709−2027 between the hours of 8 A.M. and 8 P.M. CST Mon­day through Friday.

Q. Have you noti­fied law enforcement?

Yes, we noti­fied law enforce­ment and are sup­port­ing their inves­ti­ga­tion into this incident.

Q. Who are the unau­tho­rized actors/​parties respon­si­ble for this incident?

We report­ed this mat­ter to law enforce­ment and are sup­port­ing their inves­ti­ga­tion into this inci­dent. We are unable to pro­vide any addi­tion­al information.

Q. How do you know the sys­tems are safe now?

Infor­ma­tion secu­ri­ty is among DMG’s high­est pri­or­i­ties. Upon becom­ing aware of this inci­dent, we imme­di­ate­ly took steps to con­firm the secu­ri­ty of our sys­tems. As part of our ongo­ing com­mit­ment to the secu­ri­ty of infor­ma­tion, we are review­ing exist­ing secu­ri­ty poli­cies and have imple­ment­ed addi­tion­al cyber­se­cu­ri­ty mea­sures to fur­ther pro­tect against sim­i­lar inci­dents from occur­ring in the future. In addi­tion, we noti­fied law enforce­ment and are sup­port­ing their inves­ti­ga­tion into this incident.

Q. What did DMG do in response to this incident?

DMG takes the secu­ri­ty of per­son­al infor­ma­tion in its care seri­ous­ly. Upon learn­ing of this inci­dent, DMG moved quick­ly to assess and address the secu­ri­ty of its sys­tems, noti­fy law enforce­ment and poten­tial­ly impact­ed indi­vid­u­als. As part of its ongo­ing com­mit­ment to infor­ma­tion secu­ri­ty, DMG is also review­ing and enhanc­ing exist­ing poli­cies and pro­ce­dures. DMG also report­ed this inci­dent to state and fed­er­al regulators.

Q. What steps can I take to pro­tect my information?

DMG encour­ages poten­tial­ly impact­ed indi­vid­u­als to remain vig­i­lant against inci­dents of iden­ti­ty theft and fraud, to review account state­ments and expla­na­tion of ben­e­fits forms, and to mon­i­tor their cred­it reports and expla­na­tion of ben­e­fits forms for sus­pi­cious activ­i­ty. DMG is pro­vid­ing poten­tial­ly impact­ed indi­vid­u­als with con­tact infor­ma­tion for the three major cred­it report­ing agen­cies, as well as pro­vid­ing advice on how to obtain free cred­it reports and how to place fraud alerts and secu­ri­ty freezes on their cred­it files. The rel­e­vant con­tact infor­ma­tion is below:

Equifax

P.O. Box 105069

Atlanta, GA 30348

1−888−766−0008

www​.equifax​.com

Exper­ian

P.O. Box 9554

Allen, TX 75013

1−888−397−3742

www​.exper​ian​.com

Tran­sUnion

P.O. Box 2000

Chester, PA 19016

1−800−680−7289

www​.tran​sunion​.com

Poten­tial­ly impact­ed indi­vid­u­als may also find infor­ma­tion regard­ing iden­ti­ty theft, fraud alerts, secu­ri­ty freezes and the steps they may take to pro­tect their infor­ma­tion by con­tact­ing the cred­it bureaus, the Fed­er­al Trade Com­mis­sion or their state Attor­ney Gen­er­al. The Fed­er­al Trade Com­mis­sion can be reached at: 600 Penn­syl­va­nia Avenue NW, Wash­ing­ton, DC 20580; www​.iden​ti​tytheft​.gov; 1 – 877-ID-THEFT (1−877−438−4338); and TTY: 1−866−653−4261.

Instances of known or sus­pect­ed iden­ti­ty theft should also be report­ed to law enforce­ment or the individual’s state Attor­ney General.