25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Illinois Department of Human Services Phishing Attack Impacts 1.1 Million Customers

Posted By on Dec 23, 2024

Earlier this year, an email phishing attack on the Illinois Department of Human Services (IDHS) saw multiple employees tricked into disclosing their credentials. The threat actor was able to access email accounts that contained the public assistance account information of more than 1.1 million customers, including the Social Security numbers of 4,701 customers.

According to an IDHS media notice on December 20, 2024, the email accounts were compromised on April 25, 2024. Assisted by the Illinois Department of Innovation and Technology (DoIT), IDHS investigated the incident to determine the extent of the data breach and the individuals who had sensitive data exposed. On May 3, 2024, IDHS determined the incident was a reportable data breach under the Illinois Personal Information Protection Act (PIPA); however, it took several months to analyze the email accounts and associated files.

The analysis revealed 1,118,993 customers had public assistance account information compromised, including their name and public assistance account number in combination with some or all of the following: address, date of birth, Illinois State Board of Education Student Information System ID number, Recipient Identification Number, and cell phone number.

Separately, IDHS reports that the Social Security numbers of 4,701 customers and 3 employees were contained in exposed files. Individual notification letters were mailed to 2,918 individuals on October 31, 2024 , and email notices were sent to the 3 affected employees on November 21, 2024.  The remaining 1,783 individuals who had their Social Security numbers exposed could not be notified by mail due to a lack of an address on file and were considered notified via the website and media notices.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Under PIPA, substitute data breach notices can be issued when the number of affected individuals exceeds 500,000 and the cost of mailing notifications exceeds $250,000. Due to the lower sensitivity of the exposed data for the 1,118,993 customers, substitute notices were issued. IDHS said it provides security awareness training to its employees that includes training on how to identify, report, and avoid phishing attempts, and will continue to do so.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist