Federal authorities are conducting a criminal investigation into a massive data breach that potentially affected up to 1.2 million patients in Cook County's public health system and a total of 14 million people across the country, according to records obtained by WBEZ.
In a grand jury subpoena sent to Cook County Health in November, investigators asked the agency to turn over “any and all information related to a data security incident” involving Perry Johnson & Associates, the Nevada-based medical transcription company also known as PJ&A.
The subpoena shows that Acting U.S. Attorney Maurice Pascual and a prosecutor in the U.S. Department of Justice's Fraud Section asked officials to produce PJ&A's contract with Cook County, records related to “due diligence by Cook County on PJ&A” and all communications the county had with the company regarding Data leak.
The feds also asked the county health system's risk management division to turn over “a list of affected individuals and corresponding data that was compromised” and any documents “related to identifying the unauthorized third party that accessed PJ&A data.”
WBEZ obtained a copy of the subpoena last week, after Cook County Health was sued in April for violating the state's open records law.
Justice Department officials did not respond to messages, while spokespersons for Pascal and the FBI declined to comment, saying in a statement that agency policy prohibits officials from commenting “on the nature of any investigation that may occur.”
Cook County Health spokeswoman Alexandra Normington said the subpoena from the feds was the “first contact” the health system received from federal investigators requesting information about the breach. Normington said the health system “fully cooperated” with authorities, but he did not know what specifically the federal investigation entailed.
Cook County Health has also been hit with multiple lawsuits stemming from the data breach in Cook County Circuit Court and federal court, court records show.
In one court case here against the county health system and PJ&A, officials were accused of “failing to exercise reasonable care in protecting and safeguarding” patients’ private information and “failing to promptly notify them” of the breach.
The class action complaint states that the county health system became aware of the problem in July 2023, but did not notify patients for three months that their personal data “was in the hands of cybercriminals.” The suit alleges that the delay “virtually ensured that unauthorized third parties who exploited those vulnerabilities could monetize, misuse or disseminate” the compromised information before patients could take steps to protect themselves.
The attorney in the case, Ben Barno, and the health system's outside counsel, Megan VanderWael, declined to comment on the lawsuit pending in Cook County Circuit Court.
Normington, the Cook County health spokeswoman, said the health system has not filed a lawsuit against PJ&A.
Cook County Health “takes our patients’ privacy very seriously,” Normington said. “We are continuing to work to address this situation as completely as possible.”
PJ&A officials and the attorney representing them in Cook County Circuit Court did not respond to messages.
The country's largest health data breach in 2023
PJ&A, based in Henderson, Nevada, revealed that the data breach occurred between March 27 and May 2 last year, with hackers accessing personal information — including dates of birth, Social Security numbers and medical test results — of some people. of affected patients.
The company first reported that the breach involved records for nearly 9 million individuals, but that number has since grown to at least 14 million, making it the largest health data breach of 2023, according to a January report by the HIPAA Journal, a publication Covers medical privacy. problems.
Cook County Health is one of the largest public health systems in the country, and its mission is to treat patients whether they can pay or not. The health system includes two hospitals – John H. Stroger Jr.'s flagship on the Near West Side and Provident on the South Side — and a network of clinics that surround the city and its suburbs.
Records recently obtained by WBEZ show that the feds sent the subpoena to Cook County Health 10 days after officials first told the public about the data breach.
On November 7, Cook County health officials revealed that PJ&A informed them of a “data security incident” in July 2023 and that the health system “ceased sharing data with PJ&A and terminated its relationship with PJ&A.”
County officials said they obtained the “final list of affected patients” from the contractor on Oct. 9, and PJ&A told them that “the records of 1.2 million patients were affected” by the breach, according to the health system's November statement.
Investigators sent the subpoena on Nov. 17, giving the Cook County Health Authority 10 days to provide the requested documents to an FBI agent in the agency's Lisle office, records show.
After WBEZ requested any subpoenas or search warrants Cook County Health had received from federal investigators in March, officials denied the request, arguing that even if they had any such records, they would be exempt from making them public.
WBEZ, represented by attorney Matt Topick, filed suit on April 11. The complaint accused county health officials of “willfully violating the Illinois Freedom of Information Act” and cited a landmark 2008 appellate court ruling against then-Illinois Gov. Rod Blagojevich, which made clear that federal grand jury records were not immune from disclosure under the state's open records law. .
The county health system sent a reporter a subpoena regarding the violation on June 3. County officials declined to explain why they reversed course and made the record public.
Another major breach at Suburban Ambulance Company
The federal government says ransomware attacks on hospitals represent a “significant and growing cyber threat,” according to a 2023 report. The FBI and Department of Justice treat cyberattacks on hospitals as “life-threatening” crimes, affecting patient care and safety, and causing To erode public confidence in health care systems.
In May alone, health care providers, insurers and other related businesses across the United States reported nearly 40 major breaches, impacting nearly 5.3 million people, according to the federal Department of Health and Human Services. HHS says the agency is required to publicize major breaches of unsecured protected health information affecting at least 500 individuals.
In Illinois, recent breaches included a network server breach at Elmhurst-based Superior Ground Air Ambulance, affecting nearly 860,000 people who received services, according to federal records.
About 10,000 people were affected when email was hacked at the University of Chicago Medical Center in Hyde Park on the South Side earlier this year.
When a “known criminal threat actor” earlier this year gained access to the network of Lurie Children's Hospital in Chicago, a destination for the sickest patients and most complex cases, many systems disappeared. Lori took email and phones offline. Parents and their providers lost access to online medical records, such as lab results and medical history — important details a doctor may need to help make decisions about treatment.
The Lurie power outage also affected independent pediatric practices that rely on Lurie's systems to bill and get paid.
Dan Mahalopoulos is an investigative reporter on WBEZ's government and politics team. Kristen Schorsch covers Cook County government and public health for WBEZ. John Seidel covers federal courts for the Chicago Sun-Times.
