Illinois Human Services data breach exposes health information of more than 700,000 residents

The Illinois Department of Human Services disclosed a major data breach involving the public exposure of sensitive health-related information belonging to more than 700,000 Illinois residents after internal planning maps were mistakenly made accessible on the internet for several years.

The agency confirmed that the breach stemmed from incorrect privacy settings on a mapping website used by its Division of Family and Community Services’ Bureau of Planning and Evaluation. The maps, created to support internal resource allocation and decision-making, were intended solely for departmental use but were publicly viewable until the error was discovered on or about Sept. 22, 2025. The site was secured immediately, and an internal investigation was launched to assess the scope and duration of the exposure.

The investigation determined that protected health information for approximately 672,616 recipients of Medicaid and the Medicare Savings Program was exposed online between January 2022 and September 2025. The data included addresses, case numbers, demographic details, and medical assistance plan names, such as Medicaid or Medicare. Recipients’ names were not included in the exposed material.

In a separate but related exposure, data belonging to about 32,401 customers of the Division of Rehabilitation Services, which provides support to people with disabilities, was publicly accessible from April 2021 through September 2025. That information included names, addresses, case numbers, case statuses, referral source details, regional and office identifiers, and confirmation of individuals’ participation in rehabilitation services.

IDHS confirmed that all affected maps had their privacy settings corrected between Sept. 22 and Sept. 26, 2025, restricting access exclusively to authorized employees based on role-specific needs. The agency also implemented a new Secure Map Policy prohibiting the uploading, entry, or storage of any customer-level data on public mapping platforms.

Officials said the department was unable to determine who may have accessed the exposed maps during the period they were publicly available. The agency stated it is not aware of any misuse of the information. Notification letters have been mailed to all affected individuals, and the breach has been reported to appropriate regulators, including the U.S. Department of Health and Human Services’ Office for Civil Rights.

The disclosure marks the second major data breach announced by IDHS in just over a year. In December 2024, the department notified approximately 1.1 million customers that their information had been exposed following a phishing attack.