Lawsuit Alleges Security Failures at ClinicDuPage Medical Group Sued After Breach Affecting 655,000
DuPage Medical Group in suburban Chicago has been smacked with a lawsuit following its recent "network outage" health data breach, which was reported to regulators as potentially affecting the protected health information of more than 655,000 individuals.
In the lawsuit filed Wednesday, which seeks class action status, plaintiffs allege that the medical group was "negligent and reckless because it failed to properly maintain and safeguard the DMG computer systems, network and data."
DuPage Medical Group's "unlawful conduct includes, but is not limited to … failing to maintain an adequate data security system to reduce the risk of data breaches and cyberattacks …. and to adequately protect patients’ private Information. Where the most private information belonging to plaintiffs and class members was accessed and removed from defendant’s network, there is a strong probability that entire batches of stolen information have been dumped on the black market or are yet to be dumped on the black market, meaning plaintiffs and the class members are at an increased risk of fraud and identity theft for many years into the future."
The lawsuit seeks a court order requiring the medical group to pay for a least three years of credit monitoring services for individuals affected by the breach. It also seeks damages.
In addition, the suit seeks to compel the medical group to use appropriate methods and policies for consumer data collection, storage and safety and to require it to disclose the type of data that was compromised.
DuPage Medical Group, in a statement issued Tuesday before news of the lawsuit broke, said that on July 13, it experienced a security incident that caused a disruption to its network systems.
A cyber forensics investigation into the incident determined that the network outage had been caused by unauthorized actors who gained access to the medical group's network between July 12 and July 13, the statement said.
"With the assistance of the forensic specialists, DMG conducted a thorough and time-consuming review of its systems to understand whether any patient information may have been impacted as a result of this event," the medical group said.
On Aug.17, the investigation determined that certain files stored within DuPage Medical Group's environment that contained patient information may have been exposed. Information potentially affected includes names, addresses, dates of birth and diagnosis, procedure and service codes, the medical group acknowledges.
For a small subset of individuals, Social Security numbers may also have been affected, the statement says.
"DMG has no evidence that any information has been subject to actual or attempted misuse as a result of this incident. This event did not impact financial account numbers," the group's statement said.
Several local news outlets, including the Chicago Tribune, had previously reported that the security incident at the medical group, which led to patients having difficulty calling their doctors’ offices and accessing online medical records, began on July 13 and lasted at least a week.
In a statement provided to Information Security Media Group on Friday, the clinic said: "DuPage Medical Group has not been served with the lawsuit and will need time to analyze any allegations. We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises. Credit monitoring and identity protection services at no cost are being offered to those affected by this incident."
However, the suburban Chicago medical group did not immediately respond to ISMG's request for additional details about the security incident, including whether it involved ransomware.
The lawsuit alleges a long list of security failures by the medical group, including failing to:
- Properly monitor its data security systems for intrusions, brute-force attempts and clearing of event logs;
- Apply all available security updates, install the latest software patches, update its firewalls, check user account privileges or ensure proper security practices;
- Practice the principle of least-privilege and maintain credential hygiene;
- Avoid the use of domain-wide, admin-level service accounts and employ or enforce the use of strong randomized, just-in-time local administrator passwords;
- Properly train and supervise employees in the proper handling of inbound emails.
The lawsuit also alleges the medical group is responsible for invasion of privacy; breach of express and implied contract; breach of fiduciary duty; and violations of Illinois state laws, including the Consumer Fraud Act and Consumer Personal Information Protection Act.
'Duty to Protect'
The lawsuit also states that the medical group had the duty "to use reasonable security measures under HIPAA … to reasonably protect confidential data from any intentional or unintentional use or disclosure … and to have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information."
The legal action also alleges that the medical group "had a duty to employ reasonable security measures under Section 5 of the Federal Trade Commission Act … which prohibits unfair . . . practices in or affecting commerce, including, as interpreted and enforced by the FTC, the unfair practice of failing to use reasonable measures to protect confidential data."
The suit claims that it was foreseeable that DuPage Medial Group's "failure to use reasonable measures to protect class members’ private information would result in injury to plaintiffs and class members. Further, the breach of security was reasonably foreseeable given the known high frequency of cyber-attacks and data breaches in the medical industry."
Those affected by the breach "have suffered and will continue to suffer damages and economic losses," the lawsuit states. Those include lost time needed to take measures to avoid unauthorized and fraudulent charges and putting alerts on their credit files.
Additionally, plaintiffs and class members "are entitled to damages for unauthorized access to, theft of, and misuse of their PII and PHI," the lawsuit states.
"Healthcare organizations should recognize that the industry’s reputation for lax cybersecurity protections - coupled with little government action to enforce existing privacy and security standards like HIPAA - have consumers angry and afraid," says privacy attorney David Holtzman of the consultancy HITprivacy LLC.
"We are seeing a feeding frenzy led by class-action litigators to find patients who will bring lawsuits alleging healthcare organizations or their vendor has failed to use reasonable information security safeguards to protect their sensitive personal information from unauthorized access by cybercriminals," he says.
Several states, including Ohio, Utah and Connecticut, have laws to incentivize investment in heightened protections around personal information by creating an affirmative defense from some lawsuits if an organization experiences a data breach, he notes.
"While not specifically targeted to healthcare, many states already require a written cybersecurity program as part of their data security laws. The safe harbor as a defense in class action lawsuits could be another approach to taken by states to push boards of directors and CEOs to make the necessary investments in promoting cybersecurity as an imperative for any organization that holds sensitive consumer information."
Crisis response attorney William Moran of the law firm Otterbourg notes: "Every instance of a company’s wide spread data breach has the potential to lead to a future claim, including a class action claim, against the organization."