Feds investigating last years data breach affecting the Cook County hospital system WBEZ Chicago

pViews of John H Stroger Jr Hospital of Cook County in Chicago on March 6 2020 Federal authorities are conducting a criminal investigation into a massive data breach that potentially affected as many as 12 million patients in the countys public health systemppManuel MartinezWBEZppFederal authorities are conducting a criminal investigation into a massive data breach that potentially affected as many as 12 million patients at Cook Countys public health system and a total of 14 million people across the country according to records obtained by WBEZppIn a grand jury subpoena sent to Cook County Health in November investigators asked the agency to turn over any and all information related to the data security incident involving Perry Johnson Associates a Nevadabased medical transcription company also known as PJAppThe subpoena shows Acting US Attorney Morris Pasqual and a prosecutor in the US Justice Departments Fraud Section asked officials to provide PJAs contract with Cook County records relating to due diligence by Cook County of PJA and all communications the county had with the company regarding the data leakppThe feds also requested that the county health systems Department of Risk Management turn over a list of affected individuals and corresponding data that was compromised and any documents related to identifying the unauthorized third party which accessed PJA datappWBEZ obtained a copy of the subpoena last week after suing Cook County Health in April for violating the states openrecords lawppJustice Department officials did not return messages while the spokespeople for Pasqual and the FBI declined to comment saying in a statement that agency policy prevents officials from commenting on the nature of any investigation that may be occurringppCook County Health spokeswoman Alexandra Normington said the subpoena from the feds was the first contact that the health system received from federal investigators asking for information about the breach The health system has fully cooperated with authorities Normington said but did not know what the federal investigation specifically entailedppCourt records show Cook County Health also has been hit with multiple lawsuits stemming from the data breach in Cook County Circuit Court and federal courtppIn one case in court here against the county health system and PJA officials were accused of failure to exercise reasonable care in safeguarding and protecting private information for patients and failure to promptly notify them of the breachppThe classaction complaint notes that the county health system learned of the problem in July 2023 but did not notify patients for three months that their personal data was in the hands of cybercriminals The delay virtually ensured that the unauthorized third parties who exploited those security lapses could monetize misuse or disseminate the hacked information before patients could take steps to protect themselves the suit allegesppThe lawyer in that case Ben Barnow and an outside counsel for the health system Meagan VanderWeele both declined to comment on the pending litigation in Cook County Circuit CourtppNormington the Cook County Health spokeswoman said the health system has not sued PJAppCook County Health takes the privacy of our patients extremely seriously Normington said We are continuing to work to remediate this situation as thoroughly as possibleppPJA officials and an attorney representing them in Cook County court did not return messagesppPJA which is based in Henderson Nevada has disclosed that the data breach occurred between March 27 and May 2 of last year with the hackers getting access to personal information including birth dates Social Security numbers and medical test results for some of the affected patientsppThe company first reported that the hack involved records for nearly 9 million individuals but that number has since risen to at least 14 million making it 2023s largest health data breach according to a report in January by HIPAA Journal a publication covering medical privacy issuesppCook County Health is one of the biggest public health systems in the nation with a mission to treat patients whether they can pay or not The health system includes two hospitals flagship John H Stroger Jr on the Near West Side and Provident on the South Side and a network of clinics that ring the city and suburbsppThe records obtained recently by WBEZ show the feds sent the subpoena to Cook County Health 10 days after officials first let the public know about the data hackppOn Nov 7 Cook County Health officials revealed that PJA had informed them about a data security incident in July 2023 and the health system stopped sharing data with PJA and terminated its relationship with PJAppCounty officials said they got a final list of affected patients from the contractor on Oct 9 and PJA told them records for 12 million patients were impacted by the hack according to the health systems statement in NovemberppRecords show investigators sent the subpoena on Nov 17 and gave Cook County Health 10 days to submit the requested documents to an FBI agent in the agencys Lisle officeppAfter WBEZ requested any subpoenas or search warrants that Cook County Health had received from federal investigators in March officials denied the request arguing that even if they had any such records they would be exempt from being made publicppRepresented by attorney Matt Topic WBEZ filed suit on April 11 The complaint accused county health officials of willful violation of the Illinois Freedom of Information Act and cited a landmark 2008 appellate court ruling against thenIllinois Gov Rod Blagojevich which made clear that federal grand jury records are not immune from disclosure under the states openrecords lawppThe county health system sent a reporter the subpoena regarding the breach on June 3 County officials declined to explain why they reversed course and released the public recordppThe federal government says ransomware attacks on hospitals are an outsized and growing cyber threat according to a 2023 report The FBI and Justice Department treat cyber attacks on hospitals as threat to life crimes affecting patient care and safety and also eroding public trust in health care systemsppIn May alone health care providers insurance companies and other related businesses across the US reported nearly 40 large breaches affecting roughly 53 million people according to the federal Department of Health and Human Services HHS says the agency is required to post large breaches of unsecured protected health information affecting at least 500 individualsppIn Illinois the recent breaches included a hack on the network server at Elmhurstbased Superior AirGround Ambulance affecting nearly 860000 people who received services according to federal recordsppAnd some 10000 people were affected when email at the University of Chicago Medical Center in Hyde Park on the South Side got hacked earlier this yearppWhen a known criminal threat actor earlier this year accessed the network at Lurie Childrens Hospital in Chicago a destination for the sickest patients and most complex cases many systems went dark Lurie took email and phones offline Parents and their providers lost access to online medical records such as lab results and medical history crucial details a doctor could need to help make decisions about treatmentppThe outage at Lurie also impacted independent pediatric practices that depend on Luries systems to bill and get paidppDan Mihalopoulos is an investigative reporter on WBEZs Government Politics Team Kristen Schorsch covers Cook County government and public health for WBEZ Jon Seidel covers federal courts for the Chicago SunTimespp 2024 Chicago Public Media Inc Privacy Policy Terms of Use FCC Public Filing Info Notice of FCC Applicationsp