Two patients are suing DuPage Medical Group over the July breach of its computer networks, in which the identity and health information of up to 600,000 patients was exposed.
Kane County resident Erin Peiss and Rochelle Hestrup, who lives in DuPage County, are asking a DuPage judge to make it a class-action suit so other patients can join.
The lawsuit was filed on Thursday.
“The patients harmed in this data breach are now at serious, imminent risk of fraud and identity theft,” said Seth Meyer, the lawyer representing Peiss and Hestrup. “DMG failed to take the necessary steps to secure private, sensitive information entrusted to them by their patients. On behalf of our clients, we intend to hold DMG accountable for putting hundreds of thousands of patients’ information at risk.”
The lawsuit alleges negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. It seeks compensation, more protection for patients and improvements to DuPage Medical Group’s data-security systems.
“DuPage Medical Group has not been served with the lawsuit and will need time to analyze any allegations,” spokesman Emily Ford said in a written response for comment on the lawsuit. “We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises.”
The lawsuit says DuPage Medical Group failed to safeguard patients’ information, despite warnings from government agencies and other experts to the medical industry that medical providers are data-rich prime targets of hackers. It says the group did not inform patients in a timely and adequate way of what information was accessed.
Even on Wednesday, when Hestrup and Peiss called a hotline DuPage Medical Group had set up for patients, the group wouldn’t answer whether Hestrup’s and Peiss’ information was stolen, they said. They were told to wait for a letter in the mail.
DuPage Medical Group said Monday that “unauthorized actors” accessed its network July 12 to 13. The names, addresses, dates of birth, diagnosis codes, medical procedure codes, and, in some cases, Social Security numbers of patients were exposed, it said.
The lawsuit says patients will likely have to spend time and money securing and monitoring their financial accounts and credit histories, and fixing any problems that arise as a result of the breach.
It asks that DuPage Medical Group be ordered to pay for three years’ worth of credit-monitoring and identity-theft protection services for the patients.
DuPage Medical Group is offering credit-monitoring and identity-protection services for free to patients affected.