Illinois Department of Human Services Exposes Sensitive Data of 700,000 Individuals Online
The Illinois Department of Human Services (IDHS) has announced a major data breach affecting hundreds of thousands of state residents, whose sensitive data has been exposed online. IDHS created planning maps to assist with resource allocation and decision-making, which were added to a mapping website. On or around September 22, 2025, IDHS discovered that the website, which was intended for internal department use only, was accessible via the public Internet. Upon discovery, the website was immediately secured, and an investigation was launched to determine the cause of the error and the extent of any data exposure.
The investigation revealed that sensitive data had been exposed online for up to four years between 2021 and 2025. The planning maps had been created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation, which inadvertently misconfigured the privacy settings. Following a comprehensive review, IDHS determined that the protected health information of approximately 672,616 Medicaid and Medicare Savings Program recipients had been exposed online between January 2022 and September 2025. Those individuals had information such as their addresses, case numbers, demographic information, and medical assistance plan names (e.g., Medicaid, Medicare, etc.) exposed online, but not their names.
Further, approximately 32,401 customers of the Division of Rehabilitation Services (DRS) had data exposed from April 2021 through September 2025. The exposed data included names, addresses, case numbers, case statuses, referral source information, region and office information, and their status as DRS recipients. The privacy settings were changed for all maps between September 22 and September 26, 2025, to ensure they could only be accessed by authorized IDHS employees, per their role-specific needs. IDHS has also implemented a Secure Map Policy that prohibits any customer-level data from being uploaded, entered, or stored on public mapping websites.
IDHS was unable to determine who viewed the maps while they were exposed, but said it is unaware of any misuse of the exposed data. Notification letters have been mailed to all affected individuals, and the data breach has been reported to appropriate regulators, including the HHS’ Office for Civil Rights. This is the second major data breach to be announced by IDHS in a little over a year. In December 2024, IDHS notified 1.1 million customers that some of their sensitive data was exposed as a result of a phishing attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
