Illinois health department says hackers accessed citizens' personal & health benefits information

The Illinois Department of Healthcare and Family Services (HFS) and the Department of Human Services (IDHS) suffered a data security incident that involved threat actors infiltrating the State of Illinois Application for Benefits Eligibility (ABE) system’s Manage My Case (MMC) portal.

The Application for Benefits Eligibility system is used to determine an individual’s eligibility to receive State-funded medical benefits programs (Medicaid), the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). The MMC portal within ABE enables departments’ customers to see their case history and benefit details, as well as change account and benefits information.

In a data breach notice posted on its website, the Illinois Department of Healthcare and Family Services (HFS) and Department of Human Services (IDHS) said that on March 13th, it identified suspicious user accounts created within the ABE system.

“These suspicious accounts were able to link to existing customer MMC accounts by providing the customer’s date of birth and Individual ID or Social Security Number, and then correctly answering several identity proofing questions,” the notice read.

According to the department, threat actors stole the sensitive personal information of individuals elsewhere and then used the same to access customers’ MMC accounts. 

 

The compromised information included clients’ names, addresses, phone numbers, dates of birth, recipient identification numbers, individual IDs, Case IDs, Social Security Numbers, benefits applied for and received, and income information.

“If the client applied for benefits through the ABE portal, the application and any documents uploaded to support the application could be viewed. Information of individuals included on the application for benefits or receiving benefits with the household could also have been viewed,” IDHS added.

In response to the security incident, the departments “deployed a new software to stop the creation of more suspicious user accounts and de-linked the suspicious accounts from the customer accounts.” 

 

It also notified all affected individuals, the members of the Illinois General Assembly, and the Office of the Illinois Attorney General on May 12th about the data security incident.

The Illinois Department of Healthcare and Family Services and the Illinois Department of Human Services have set up a dedicated phone line for affected individuals to help them and answer any questions about the security incident. Affected individuals can also contact consumer reporting agencies to place a free fraud alert or security freeze on their accounts.