Chair Cassidy Slams Illinois Governor for Exposing Sensitive Health Data, Threatening Critical Services to Families

WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, slammed Illinois Governor JB Pritzker after his state’s health department recklessly exposed private patient data to bad actors, threatening critical services to families.

Earlier this year, the Illinois Department of Human Services (IDHS) admitted a cyberbreach exposed 700,000 Americans’ private health information over a four-year period. This comes after hostile actors hacked IDHS in 2024, gaining access to 1.1 million Americans’ records, including Social Security numbers.

Despite several years of cybersecurity failures, Pritzker and IDHS have failed to implement proper cybersecurity measures. These breaches not only put Americans’ data at risk but also delay crucial support, including food, health care, housing, and child care that Illinois families depend on.

“Protecting the privacy and security of sensitive health information is essential to ensure that patients receive the best care and that their information is not misused,” wrote Dr. Cassidy. “Despite IDHS’ role in helping vulnerable communities, its repeated failures to implement basic security processes highlight IDHS’ disregard of its responsibility to over 4.6 million Illinois residents.”

Earlier this Congress, Cassidy introduced the Health Care Cybersecurity and Resilience Act to further protect Americans’ health data. He has investigated several cybersecurity lapses, including those by OPEXUS and UnitedHealth Group.

Read the full letter here or below.

Dear Secretary Quintero:

Protecting the privacy and security of sensitive health information is essential to ensure that patients receive the best care and that their information is not misused. Cyber criminals continue to exploit vulnerabilities to gain access to this data, potentially using it to interrupt care and commit fraud. In 2025, there were 628 reported health care data breaches.¹ As hostile actors use more sophisticated methods to obtain health information, government stewards of protected health information (PHI) must all take robust steps to deter these attacks.

The recent announcement by the Illinois Department of Human Services (IDHS) raises questions about its commitment to data security. On January 2, 2026, IDHS disclosed that the PHI of over 700,000 individuals had been publicly accessible on IDHS’ website dating back to as early as April 2021.² IDHS has stated that this lapse was due to “incorrect privacy settings.”³

This is the second time since 2024 that IDHS has experienced a cybersecurity incident. In 2024, IDHS disclosed that hostile actors gained access to records of over 1.1 million individuals, including Social Security numbers.⁴4 IDHS provides support to Illinois residents, including food, health care, housing, and child care services. Despite IDHS’ role in helping vulnerable communities, its repeated failures to implement basic security processes highlight IDHS’ disregard of its responsibility to over 4.6 million Illinois residents.⁵ To that end, I request answers to the following questions by February XX, 2026.

1. IDHS has stated that it first became aware of the security incident it disclosed on January 2, 2026 on September 22, 2025.

1. What immediate steps did IDHS take to respond to the incident?
2. Did IDHS notify any state or federal entities? If so, please provide a list of those entities and when IDHS notified them.

2. IDHS has indicated that the security incident was a result of “incorrect privacy settings” on its mapping website.⁶

1. What security practices does IDHS employ to ensure its infrastructure has adequate security protocols in place?
2. Does IDHS conduct any security audits of its information technology (IT) infrastructure? If so, when was the last time IDHS conducted an audit, and what was the conclusion of that audit?

3. The Health Insurance Portability and Accountability Act (HIPAA) requires entities involved in a breach of PHI to notify impacted individuals and the public no later than 60 days after a breach is discovered. IDHS, however, did not make a disclosure until 102 days after discovery.⁷

1. Why did IDHS wait 42 days after the required notification deadline to provide information about the incident?
2. How is IDHS engaging with impacted individuals to provide more information about the incident?
3. Has IDHS committed to provide any credit monitoring or support services? If not, does it intend to provide any support services?

4. In 2024, IDHS experienced a security incident that led to the disclosure of over 1.1 million consumer records, including Social Security numbers.8 What remedial steps did IDHS take in light of that incident to improve its security protocols?

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.