EXCLUSIVE — Sen. Bill Cassidy (R-LA), chairman of the Senate’s health committee, has launched an inquiry into the administration of Gov. JB Pritzker (D-IL) over its handling of a recent data breach that exposed the private health information of 700,000 state residents.
Cassidy is seeking detailed records from the Illinois Department of Human Services after leaving sensitive health-related information on a publicly accessible website for more than three years and delaying notification to affected individuals, according to a letter sent Tuesday by the senator to the Pritzker administration and obtained by the Washington Examiner.
The congressional scrutiny sets the stage for a high-stakes clash between Cassidy, who’s fighting for reelection against a Trump-backed primary challenger, and Pritzker, a possible 2028 presidential candidate who’s tussled with the Trump administration over its immigration enforcement operations in the Prairie State.
The most recent data breach, revealed by Illinois officials in early January, months after it was initially discovered, “raises questions” about the state’s “commitment to data security,” Cassidy wrote to Illinois health secretary Dulce Quintero and Pritzker. It came on the heels of a 2024 hacking into the Illinois Department of Human Services that exposed the private information of more than 1 million people, including roughly 4,700 whose Social Security numbers were exposed.
“Despite IDHS’ role in helping vulnerable communities, its repeated failures to implement basic security processes highlight IDHS’ disregard of its responsibility to over 4.6 million Illinois residents,” Cassidy wrote.
Pritzker and the Illinois Department of Human Services did not respond to requests for comment.
Cassidy laid out detailed questions in his letter and requested a response by Feb. 25. Being in the majority, the Senate Republican chairman holds immense subpoena power to compel information and testimony.
Cassidy’s line of questioning included why the department did not notify affected parties until January after discovering the security incident more than three months earlier in September 2025, requesting information about its current cybersecurity protocols and what steps were previously taken to improve data security following the 2024 breach.
In a Jan. 2 news release, the Illinois Department of Human Services revealed “incorrect privacy settings” on a state government website exposed the health data of more than 32,000 recipients of the state’s Division of Rehabilitation Services for people with disabilities and 672,000 recipients of the Medicaid and Medicare Savings Program for low-income beneficiaries. The data was uploaded to a “mapping website” of the Division of Family and Community Services’ Bureau of Planning and Evaluation under the human services department to assist the agency “with resource allocation decisions, such as determining where to open new local offices.”
“The mapping website was unable to identify who viewed the maps,” the statement read. “To date, IDHS is unaware of any actual or attempted misuse of personal information as a result of this incident.”
CONGRESSIONAL BUDGET OFFICE SAYS IT WAS HACKED IN ‘SECURITY INCIDENT’
Cassidy suggested Illinois violated federal law under the Health Insurance Portability and Accountability Act that requires notifying affected individuals and the public no later than 60 days after the discovery of a breach.
“Protecting the privacy and security of sensitive health information is essential to ensure that patients receive the best care and that their information is not misused,” Cassidy wrote in his letter. “Cyber criminals continue to exploit vulnerabilities to gain access to this data, potentially using it to interrupt care and commit fraud.”