Jan 8
/
Latest News
IDHS Data Leak Exposed Personal Info of 700,000 Illinois Residents
SPRINGFIELD, IL – The Illinois Department of Human Services (IDHS) has disclosed a massive data breach that left the personal information of more than 700,000 residents exposed on the open internet for up to four years.
The agency revealed on January 2nd that the sensitive data—which is protected under the Health Insurance Portability and Accountability Act (HIPAA)—remained publicly accessible until it was finally removed in September 2025.
Mapping Errors Led to Exposure
The breach stemmed from the use of public mapping websites by agency officials. According to IDHS, staff members uploaded customer-level data to create planning maps intended for resource allocation. However, these maps were inadvertently left open to the public.
The exposure impacted two distinct groups:
Disabled Customers: Approximately 32,400 individuals served by the Division of Rehabilitation Services had their names and addresses exposed from April 2021 through September 2025.
Benefits Recipients: Information belonging to 672,616 Medicaid and Medicare Savings Program recipients—including addresses and public benefits status—was accessible from January 2022 through September 2025.
Risk Assessment and Response
While the agency confirmed the data was vulnerable for years, officials stated they have not yet found evidence of "attempted misuse" of the information. However, they admitted they are unable to determine exactly who may have viewed or downloaded the maps while they were online.
In response to the incident, IDHS has implemented a new policy strictly prohibiting employees from entering customer-level data into any public mapping platforms.
A Pattern of Security Failures
This disclosure comes on the heels of another major security lapse. In December 2024, IDHS reported a separate data breach involving a phishing attack that compromised the sensitive information of 1.1 million residents.
The recurring nature of these breaches has raised concerns regarding the agency's data handling protocols and the long-term safety of resident information.
Note for Residents: IDHS typically notifies affected individuals via mail. Residents are encouraged to monitor their credit reports and be vigilant against potential phishing attempts.
The agency revealed on January 2nd that the sensitive data—which is protected under the Health Insurance Portability and Accountability Act (HIPAA)—remained publicly accessible until it was finally removed in September 2025.
Mapping Errors Led to Exposure
The breach stemmed from the use of public mapping websites by agency officials. According to IDHS, staff members uploaded customer-level data to create planning maps intended for resource allocation. However, these maps were inadvertently left open to the public.
The exposure impacted two distinct groups:
Disabled Customers: Approximately 32,400 individuals served by the Division of Rehabilitation Services had their names and addresses exposed from April 2021 through September 2025.
Benefits Recipients: Information belonging to 672,616 Medicaid and Medicare Savings Program recipients—including addresses and public benefits status—was accessible from January 2022 through September 2025.
Risk Assessment and Response
While the agency confirmed the data was vulnerable for years, officials stated they have not yet found evidence of "attempted misuse" of the information. However, they admitted they are unable to determine exactly who may have viewed or downloaded the maps while they were online.
In response to the incident, IDHS has implemented a new policy strictly prohibiting employees from entering customer-level data into any public mapping platforms.
A Pattern of Security Failures
This disclosure comes on the heels of another major security lapse. In December 2024, IDHS reported a separate data breach involving a phishing attack that compromised the sensitive information of 1.1 million residents.
The recurring nature of these breaches has raised concerns regarding the agency's data handling protocols and the long-term safety of resident information.
Note for Residents: IDHS typically notifies affected individuals via mail. Residents are encouraged to monitor their credit reports and be vigilant against potential phishing attempts.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.