Illinois IDHS Discloses Data Exposure Affecting Over 700,000 Individuals
The Illinois Department of Human Services (IDHS) revealed a security incident on September 22, 2025, involving the unintended public exposure of sensitive data on internal planning maps. The breach stemmed from incorrect privacy settings on maps created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation, which were meant for internal use only.
The incident impacted two groups: approximately 32,401 Division of Rehabilitation Services (DRS) customers and 672,616 Medicaid and Medicare Savings Program recipients. For DRS customers, exposed data—available from April 2021 to September 2025—included names, addresses, case numbers, and other personal details. Medicaid and Medicare recipients had addresses, case numbers, and demographic information exposed from January 2022 to September 2025, though names were not included in these records.
IDHS confirmed no evidence of misuse but took immediate action to restrict map access and conduct a compliance review under state and federal privacy laws. A new Secure Map Policy has since been implemented, banning the upload of customer-level data to public platforms and limiting map access to authorized personnel. Notifications are being issued to affected individuals and regulatory bodies, including guidance on fraud alerts and security freezes.
Illinois Department of Central Management Services cybersecurity rating report: https://www.rankiteo.com/company/illinoiscms
"id": "ILL1767807165",
"linkid": "illinoiscms",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '705,017 (32,401 DRS customers + '
'672,616 Medicaid/Medicare '
'recipients)',
'industry': 'Public Sector / Human Services',
'location': 'Illinois, USA',
'name': 'Illinois Department of Human Services (IDHS)',
'type': 'Government Agency'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Notices sent to affected individuals with information '
'on fraud alerts and security freezes',
'data_breach': {'data_exfiltration': 'No evidence of misuse or exfiltration',
'file_types_exposed': 'Maps (specific file types not '
'disclosed)',
'number_of_records_exposed': '705,017',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Names',
'Addresses',
'Case numbers',
'Demographic information',
'Other personal details']},
'date_detected': '2025-09-22',
'description': 'The Illinois Department of Human Services (IDHS) disclosed a '
'security incident involving the exposure of sensitive '
'information on publicly accessible maps. The breach affected '
'internal planning maps created by the IDHS Division of Family '
'and Community Services’ Bureau of Planning and Evaluation, '
'which were mistakenly made public due to incorrect privacy '
'settings.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive data',
'data_compromised': 'Names, addresses, case numbers, demographic '
'information, and other personal details',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential violations of state and federal '
'privacy laws',
'operational_impact': 'Review and remediation of privacy settings, '
'implementation of new Secure Map Policy',
'systems_affected': 'Publicly accessible maps platform'},
'investigation_status': 'Completed (no evidence of misuse found)',
'lessons_learned': 'Importance of proper privacy settings and access controls '
'for sensitive data, especially in public-facing '
'platforms. Need for stricter policies to prevent upload '
'of customer-level data to public platforms.',
'post_incident_analysis': {'corrective_actions': 'Implementation of Secure '
'Map Policy, restricted '
'access to maps, review of '
'privacy settings',
'root_causes': 'Incorrect privacy settings on '
'publicly accessible maps, lack of '
'strict policies preventing upload '
'of customer-level data to public '
'platforms'},
'recommendations': 'Implement and enforce a Secure Map Policy, restrict map '
'access to authorized personnel, conduct regular audits of '
'privacy settings, and provide training on data protection '
'best practices.',
'references': [{'source': 'IDHS Public Disclosure'}],
'regulatory_compliance': {'regulations_violated': ['State and federal privacy '
'laws'],
'regulatory_notifications': 'Yes (notices sent to '
'regulatory '
'authorities)'},
'response': {'communication_strategy': 'Notices sent to affected individuals '
'and regulatory authorities',
'containment_measures': 'Restricted access to the maps',
'remediation_measures': 'Review of privacy settings, '
'implementation of new Secure Map '
'Policy'},
'title': 'Illinois Department of Human Services (IDHS) Sensitive Data '
'Exposure on Public Maps',
'type': 'Data Exposure',
'vulnerability_exploited': 'Incorrect privacy settings on public maps'}