Illinois Department of Human Services Exposes Health Data of Over 700,000 Individuals for Over Three Years
The Illinois Department of Human Services (IDHS) recently disclosed a data breach involving the protected health information (PHI) of more than 705,000 individuals, which remained publicly accessible on a mapping website for over three years. The breach affected two groups: approximately 32,401 customers of the Division of Rehabilitation Services (DRS) and 672,600 recipients of the Medicaid and Medicare Savings Program.
The exposed data, uploaded to a public mapping platform used by IDHS’s Bureau of Planning and Evaluation, was intended for internal resource allocation purposes. Due to incorrect privacy settings, the information was viewable to the public from April 2021 to September 2025 for DRS customers and from January 2022 to September 2025 for Medicare Savings Program recipients. The breach included sensitive details such as names, addresses, case numbers, and demographic information, though Medicare recipients’ names were not exposed.
IDHS discovered the vulnerability on September 22, 2025, and immediately restricted access to authorized personnel. However, the agency failed to meet federal HIPAA requirements, which mandate notification of affected individuals and media outlets within 60 days of discovery. Instead, IDHS issued a public statement on January 2, 2026 102 days after identifying the breach.
When questioned about the delayed discovery and notification, IDHS declined to provide an explanation, stating only that customer privacy was a priority and that corrective measures, including a new Secure Map Policy, had been implemented to prevent future incidents. The policy now prohibits the upload of identifiable customer data to public mapping platforms.
Source: https://www.kwqc.com/2026/01/06/illinois-department-human-services-reports-yearslong-data-breach/
Illinois Department of Healthcare and Family Services cybersecurity rating report: https://www.rankiteo.com/company/ildhfs
"id": "ILD1768217682",
"linkid": "ildhfs",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '705,001',
'industry': 'Healthcare and Social Services',
'location': 'Illinois, USA',
'name': 'Illinois Department of Human Services (IDHS)',
'size': 'Large',
'type': 'Government Agency'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Affected individuals were notified, though delayed '
'beyond the federally mandated 60-day period',
'data_breach': {'number_of_records_exposed': '705,001',
'personally_identifiable_information': ['Names',
'Addresses',
'Case numbers',
'Demographic '
'information',
'Referral source '
'information'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Protected health information',
'Personally identifiable '
'information']},
'date_detected': '2025-09-22',
'date_publicly_disclosed': '2026-01-02',
'date_resolved': '2025-09-22',
'description': 'The Illinois Department of Human Services (IDHS) '
'inadvertently stored protected health information on a '
'publicly accessible mapping website for over three years, '
'affecting over 32,000 Division of Rehabilitation Services '
'customers and more than 672,600 Medicaid and Medicare Savings '
'Program recipients. The breach was discovered in September '
'2025, but public notification was delayed beyond the '
'federally mandated 60-day period.',
'impact': {'brand_reputation_impact': "Negative impact on IDHS's reputation "
'due to delayed notification and '
'prolonged exposure of sensitive data',
'data_compromised': 'Protected health information, including '
'names, addresses, case numbers, case status, '
'referral source information, demographic '
'data, and medical assistance plan details',
'identity_theft_risk': 'High risk due to exposure of personally '
'identifiable information and protected '
'health information',
'legal_liabilities': 'Potential violations of HIPAA and other '
'federal regulations',
'operational_impact': 'Implementation of new Secure Map Policy and '
'internal review processes',
'systems_affected': 'Public mapping website used by IDHS Bureau of '
'Planning and Evaluation'},
'investigation_status': 'Completed',
'lessons_learned': 'The incident highlights the importance of proper privacy '
'settings and regular audits of public-facing systems '
'containing sensitive data. It also underscores the need '
'for timely compliance with federal breach notification '
'requirements.',
'post_incident_analysis': {'corrective_actions': 'Implementation of a Secure '
'Map Policy, restriction of '
'access to authorized '
'personnel, and internal '
'review of data handling '
'practices',
'root_causes': 'Incorrect privacy settings on a '
'public mapping website, lack of '
'regular audits, and insufficient '
'oversight of data handling '
'practices'},
'recommendations': ['Implement stricter access controls and privacy settings '
'for public-facing systems',
'Conduct regular audits of systems containing sensitive '
'data to ensure compliance with privacy policies',
'Establish clear protocols for timely breach notification '
'in accordance with federal regulations',
'Provide additional training for staff on data privacy '
'and security best practices'],
'references': [{'source': 'Capitol News Illinois'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': 'Delayed notification '
'beyond the federally '
'mandated 60-day '
'period'},
'response': {'communication_strategy': 'Issued a news release on January 2, '
'2026, detailing the breach and '
'response measures',
'containment_measures': 'Changed privacy settings to restrict '
'access to authorized IDHS employees',
'remediation_measures': 'Conducted a comprehensive review of the '
'data exposed and implemented a Secure '
'Map Policy prohibiting the upload of '
'customer-level data to public mapping '
'websites'},
'title': 'IDHS Protected Health Information Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Incorrect privacy settings on a public mapping '
'website'}