**Illinois Department of Human Services Exposes Sensitive Data of Over 700,000 Patients**
The Illinois Department of Human Services (IDHS) disclosed a years-long data exposure affecting thousands of patients, revealing sensitive personal information due to incorrect privacy settings on public mapping tools. Between 2021 and 2025, internal maps—created to guide resource allocation and office placements—were left accessible online, inadvertently exposing patient data.
The breach impacted two groups: over 32,000 Division of Rehabilitation Services customers, whose names, addresses, case details, and referral information were visible from April 2021 to September 2025, and approximately 670,000 Medicaid and Medicare Savings Program recipients, whose addresses, case numbers, demographic data, and medical plan names were exposed from January 2022 to September 2025.
IDHS stated it cannot determine who accessed the maps and has found no evidence of misuse. The agency discovered the issue on September 22, 2025, immediately restricting map access to authorized personnel and implementing a new policy banning the upload of customer data to public mapping platforms. Affected individuals will receive notifications with additional details and a contact number for further inquiries.
Illinois Department of Healthcare and Family Services cybersecurity rating report: https://www.rankiteo.com/company/ildhfs
"id": "ILD1767411312",
"linkid": "ildhfs",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '702,000',
'industry': 'Healthcare / Social Services',
'location': 'Illinois, USA',
'name': 'Illinois Department of Human Services (IDHS)',
'size': 'Large',
'type': 'Government Agency'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Notices sent to affected individuals with a phone '
'number for more information',
'data_breach': {'number_of_records_exposed': '702,000',
'personally_identifiable_information': 'Names, addresses, '
'case numbers, '
'demographic '
'information',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Case '
'Information, Demographic '
'Information, Medical Assistance '
'Plan Names'},
'date_detected': '2025-09-22',
'date_publicly_disclosed': '2025-09-26',
'date_resolved': '2025-09-22',
'description': 'The names and addresses of thousands of patients of the '
'Illinois Department of Human Services were incorrectly made '
'publicly viewable for several years due to incorrect privacy '
'settings on mapping tools used by the agency.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Illinois Department of Human Services',
'data_compromised': 'Names, addresses, case numbers, case status, '
'referral source information, region and '
'office information, demographic information, '
'medical assistance plan names',
'identity_theft_risk': 'High',
'operational_impact': 'Implementation of secure map policy and '
'restricted access to authorized employees',
'systems_affected': 'Public mapping website'},
'investigation_status': 'Ongoing (unable to identify who viewed the maps)',
'lessons_learned': 'Importance of proper privacy settings and secure data '
'handling policies for public-facing tools',
'post_incident_analysis': {'corrective_actions': 'Implementation of secure '
'map policy and restricted '
'access to authorized '
'employees',
'root_causes': 'Incorrect privacy settings on '
'public mapping tools'},
'recommendations': 'Regular audits of privacy settings, employee training on '
'data security, and stricter controls on public data '
'uploads',
'references': [{'date_accessed': '2025-09-26',
'source': 'Illinois Department of Human Services Statement'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA',
'State Data Privacy Laws']},
'response': {'communication_strategy': 'Notices sent to affected individuals '
'with a phone number for more '
'information',
'containment_measures': 'Immediate change of privacy settings to '
'restrict access to authorized IDHS '
'employees',
'remediation_measures': 'Implementation of a secure map policy '
'prohibiting upload of customer data to '
'public mapping websites'},
'title': 'Illinois Department of Human Services Patient Data Exposure',
'type': 'Data Exposure',
'vulnerability_exploited': 'Incorrect privacy settings on public mapping '
'tools'}