Federal authorities are conducting a criminal investigation into a massive data breach that potentially affected as many as 1.2 million patients at Cook County’s public health system and a total of 14 million people across the country, according to records obtained by WBEZ.
In a grand jury subpoena sent to Cook County Health in November, investigators asked the agency to turn over “any and all information related to the data security incident” involving Perry Johnson & Associates, a Nevada-based medical transcription company also known as PJ&A.
The subpoena shows Acting U.S. Attorney Morris Pasqual and a prosecutor in the U.S. Justice Department’s Fraud Section asked officials to provide PJ&A’s contract with Cook County, records relating to “due diligence by Cook County of PJ&A” and all communications the county had with the company regarding the data leak.
The feds also requested that the county health system’s Department of Risk Management turn over a “list of affected individuals and corresponding data that was compromised” and any documents “related to identifying the unauthorized third party which accessed PJ&A data.”
WBEZ obtained a copy of the subpoena last week, after suing Cook County Health in April for violating the state’s open-records law.
Justice Department officials did not return messages, while the spokespeople for Pasqual and the FBI declined to comment, saying in a statement that agency policy prevents officials from commenting “on the nature of any investigation that may be occurring.”
Cook County Health spokeswoman Alexandra Normington said the subpoena from the feds was the “first contact” that the health system received from federal investigators asking for information about the breach. The health system has “fully cooperated” with authorities, Normington said, but did not know what the federal investigation specifically entailed.
Court records show Cook County Health also has been hit with multiple lawsuits stemming from the data breach in Cook County Circuit Court and federal court.
In one case in court here against the county health system and PJ&A, officials were accused of “failure to exercise reasonable care in safeguarding and protecting” private information for patients and “failure to promptly notify” them of the breach.
The class-action complaint notes that the county health system learned of the problem in July 2023 but did not notify patients for three months that their personal data “was in the hands of cybercriminals.” The delay “virtually ensured that the unauthorized third parties who exploited those security lapses could monetize, misuse or disseminate” the hacked information before patients could take steps to protect themselves, the suit alleges.
The lawyer in that case, Ben Barnow, and an outside counsel for the health system, Meagan VanderWeele, both declined to comment on the pending litigation in Cook County Circuit Court.
Normington, the Cook County Health spokeswoman, said the health system has not sued PJ&A.
Cook County Health “takes the privacy of our patients extremely seriously,” Normington said. “We are continuing to work to remediate this situation as thoroughly as possible.”
PJ&A officials and an attorney representing them in Cook County court did not return messages.
The country’s largest breach of health data in 2023
PJ&A, which is based in Henderson, Nevada, has disclosed that the data breach occurred between March 27 and May 2 of last year, with the hackers getting access to personal information — including birth dates, Social Security numbers and medical test results — for some of the affected patients.
The company first reported that the hack involved records for nearly 9 million individuals, but that number has since risen to at least 14 million, making it 2023’s largest health data breach, according to a report in January by HIPAA Journal, a publication covering medical privacy issues.
Cook County Health is one of the biggest public health systems in the nation, with a mission to treat patients whether they can pay or not. The health system includes two hospitals — flagship John H. Stroger Jr. on the Near West Side and Provident on the South Side — and a network of clinics that ring the city and suburbs.
The records obtained recently by WBEZ show the feds sent the subpoena to Cook County Health 10 days after officials first let the public know about the data hack.
On Nov. 7, Cook County Health officials revealed that PJ&A had informed them about a “data security incident” in July 2023 and the health system “stopped sharing data with PJ&A and terminated its relationship with PJ&A.”
County officials said they got a “final list of affected patients” from the contractor on Oct. 9 and PJ&A told them “records for 1.2 million patients were impacted” by the hack, according to the health system’s statement in November.
Records show investigators sent the subpoena on Nov. 17 and gave Cook County Health 10 days to submit the requested documents to an FBI agent in the agency’s Lisle office.
After WBEZ requested any subpoenas or search warrants that Cook County Health had received from federal investigators, in March, officials denied the request, arguing that, even if they had any such records, they would be exempt from being made public.
Represented by attorney Matt Topic, WBEZ filed suit on April 11. The complaint accused county health officials of “willful violation of the Illinois Freedom of Information Act” and cited a landmark 2008 appellate court ruling against then-Illinois Gov. Rod Blagojevich, which made clear that federal grand jury records are not immune from disclosure under the state’s open-records law.
The county health system sent a reporter the subpoena regarding the breach on June 3. County officials declined to explain why they reversed course and released the public record.
Another major breach at a suburban ambulance company
The federal government says ransomware attacks on hospitals are an “outsized and growing cyber threat,” according to a 2023 report. The FBI and Justice Department treat cyber attacks on hospitals as “threat to life” crimes, affecting patient care and safety and also eroding public trust in health care systems.
In May alone, health care providers, insurance companies and other related businesses across the U.S. reported nearly 40 large breaches, affecting roughly 5.3 million people, according to the federal Department of Health and Human Services. HHS says the agency is required to post large breaches of unsecured protected health information affecting at least 500 individuals.
In Illinois, the recent breaches included a hack on the network server at Elmhurst-based Superior Air-Ground Ambulance, affecting nearly 860,000 people who received services, according to federal records.
And some 10,000 people were affected when email at the University of Chicago Medical Center in Hyde Park on the South Side got hacked earlier this year.
When a “known criminal threat actor” earlier this year accessed the network at Lurie Children’s Hospital in Chicago, a destination for the sickest patients and most complex cases, many systems went dark. Lurie took email and phones offline. Parents and their providers lost access to online medical records, such as lab results and medical history — crucial details a doctor could need to help make decisions about treatment.
The outage at Lurie also impacted independent pediatric practices that depend on Lurie’s systems to bill and get paid.
Dan Mihalopoulos is an investigative reporter on WBEZ’s Government & Politics Team. Kristen Schorsch covers Cook County government and public health for WBEZ. Jon Seidel covers federal courts for the Chicago Sun-Times.
