**Illinois Department of Human Services Data Breach Exposes Over 670,000 Residents’ Information**
The personal information of more than 670,000 Illinois residents may have been publicly accessible online for several years, the Illinois Department of Human Services (IDHS) announced Friday.
On September 22, IDHS discovered that maps created by one of its divisions on a mapping website were “publicly viewable due to incorrect privacy settings,” according to a notice shared with the media. These maps were intended for internal use to help the department make decisions about resource allocation, such as determining where to open new local offices.
However, the maps contained sensitive information, including data on 32,401 customers from the Division of Rehabilitation Services and 672,616 individuals who were Medicaid and Medicare Savings Program recipients. The Medicare Savings Program is a state Medicaid initiative that helps qualifying individuals pay for Medicare premiums and other costs.
For Division of Rehabilitation Services customers, exposed data included names, addresses, case numbers, and case statuses. This information was publicly accessible from April 2021 through September 2025. For Medicaid and Medicare Savings Program recipients, the exposed data included addresses, case numbers, demographic information, and names of medical assistance plans—but did not include individual patient names. This information was publicly viewable from January 2022 through September 2025.
The department was unable to determine who may have viewed the maps, but stated it is not aware of any misuse of the personal information. Upon discovering the issue, IDHS immediately changed the privacy settings on the maps so that only authorized employees could access them. The department has also implemented a new policy prohibiting customer data from being uploaded to public mapping websites.
IDHS is in the process of notifying affected individuals about the incident. “IDHS is working to ensure that this does not happen again, as the privacy of customers is of paramount importance,” the department said in its notice.
According to the Health Insurance Portability and Accountability Act (HIPAA), organizations must report breaches involving protected health information of 500 or more individuals to the U.S. Department of Health and Human Services’ Office for Civil Rights.
For more information, affected individuals are encouraged to contact the Illinois Department of Human Services.
https://www.chicagotribune.com/2026/01/02/data-breach-illinois-department-human-services/
