The Illinois Department of Human Services (IDHS), one of Illinois’ largest state agencies, accidentally exposed the personal and health data of nearly 700,000 residents due to incorrect privacy settings.
The agency discovered the data breach on September 22 when it found that maps created by the IDHS Division of Family and Community Services for resource allocation decisions were publicly viewable on a mapping website due to misconfigured privacy controls.
These maps, intended for internal use to guide decisions such as office placement, remained accessible online for years before the issue was discovered last year.
The resulting data breach affected two groups of Illinois residents. Roughly 672,616 Medicaid and Medicare Savings Program recipients had their addresses, case numbers, demographic details, and medical assistance plan names exposed online from January 2022 through September 2025, but their names were not included.
Another, smaller group of 32,401 Division of Rehabilitation Services customers had information, including names, addresses, case numbers, case status, and referral sources, exposed from April 2021 through September 2025.
“On September 22, 2025, IDHS discovered that maps created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation on a mapping website were publicly viewable due to incorrect privacy settings,” the IDHS said.
“The mapping website was unable to identify who viewed the maps. To date, IDHS is unaware of any actual or attempted misuse of personal information as a result of this incident.”
After discovering the incident, the IDHS restricted access to the maps to authorized employees, completing the lockdown on September 26. The agency has also conducted a review of all exposed maps and now blocks attempts to upload identifiable customer information to public mapping platforms.
The agency is notifying affected individuals as required by federal health privacy law and has reported the incident to relevant regulatory authorities.
In December 2024, the IDHS disclosed another data breach after attackers breached multiple employee accounts following a phishing attack and accessed the personal information of 1,166,094 people.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
