A class action lawsuit has been filed against a healthcare provider and its third-party vendor following a data breach that compromised the personal information of millions.
Plaintiffs Bridget O’Neill, Kirk Moses, Michael Newton, Noel Carter, Martin Kurtev, and Izabela Debowczyk lodged the complaint in the United States District Court for the Northern District of Illinois on June 14, 2024. The defendants are Perry Johnson & Associates, Inc., Cook County Health & Hospitals System, and Cook County Health.
The plaintiffs allege that a cyberattack on Perry Johnson & Associates (PJ&A) led to the exfiltration of sensitive data, including patient names, Social Security numbers, medical records, insurance details, and clinical information. Cook County Health had shared this data with PJ&A as part of a service agreement for medical transcription services.
The plaintiffs accuse the defendants of negligence for not implementing sufficient security measures to protect this information, despite being aware of the potential risks. The complaint claims victims are now at higher risk of identity theft and fraud due to the breach. "Defendants maintained and shared that Private Information in a negligent and/or reckless manner," the complaint states. As a result of this breach, victims face increased risks of identity theft and fraud.
The lawsuit also alleges a delay in notifying affected individuals. PJ&A discovered suspicious activity on May 2, 2023, but did not inform Cook County Health until July 21, 2023, with patient notifications beginning in November 2023.
The plaintiffs are seeking damages for negligence, breach of implied contract, and unjust enrichment, among other claims. They are also seeking injunctive relief for improvements in data security and credit monitoring services funded by the defendants. The case is filed under No. 1:24-cv-4963.