The Perry Johnson & Associates (PJ&A) data breach was the biggest reported breach involving protected health information in 2023, with more than 13 million patients affected1. Now WBEZ in Chicago reports that there is a federal criminal investigation related to the breach at the medical transcription service.
Federal authorities are conducting a criminal investigation into a massive data breach that potentially affected as many as 1.2 million patients at Cook County’s public health system and a total of 14 million people across the country, according to records obtained by WBEZ.
In a grand jury subpoena sent to Cook County Health in November, investigators asked the agency to turn over “any and all information related to the data security incident” involving Perry Johnson & Associates, a Nevada-based medical transcription company also known as PJ&A.
The subpoena shows Acting U.S. Attorney Morris Pasqual and a prosecutor in the U.S. Justice Department’s Fraud Section asked officials to provide PJ&A’s contract with Cook County, records relating to “due diligence by Cook County of PJ&A” and all communications the county had with the company regarding the data leak.
Read more at WBEZ.
According to records obtained by WBEZ, the subpoena was sent to Cook County Health 10 days after officials first disclosed the breach to the public. But why was the US Department of Justice’s Fraud Section leaping into subpoena action so quickly with a criminal investigation? Was there any reason to suspect fraud, or is this fairly routine?
DataBreaches emailed the US DOJ to ask whether, in general, the DOJ’s Fraud Section issues subpoenas for a criminal investigation soon after a breach is announced or if that is not the usual pattern. Unfortunately, they did not reply, leaving us still puzzled as to why the federal government began a criminal investigation so quickly. Was the target PJ&A, or was it the threat actors, or was something else going on?
If any lawyers can share their professional experience and insight about this, please email this site at tips[at]databreaches[.]net.
—————
1 The incident was reported to HHS in November 2023 as affecting 8,952,212. In February 2024, PJ&A reported the total number affected to Maine as 13,300,750.