Illinois Department of Human Services Reports Massive Data Exposure Affecting Over 700,000 Individuals
The Illinois Department of Human Services (IDHS) has disclosed a significant data security incident involving internal planning maps that were inadvertently made public due to incorrect privacy settings. The exposed data included sensitive information related to customers of the Division of Rehabilitation Services (DRS) and recipients of the Medicaid and Medicare Savings Program (MMSP).
The breach impacted 32,401 DRS customers, with their data—including names, addresses, case numbers, case status, referral sources, and regional office details—publicly accessible from April 2021 to September 2025. Additionally, 672,616 MMSP recipients were affected, with exposed data containing addresses, case numbers, demographic details, and medical assistance plan names (though not individual names). The MMSP maps were publicly available from January 2022 through September 2025.
The incident was discovered on September 22, 2025, prompting immediate action to restrict map access. IDHS has since implemented a new Secure Map Policy, prohibiting the upload of customer-level data to public mapping platforms. While there is no evidence of data misuse, the department is notifying affected individuals and providing resources, including toll-free support lines and guidance on fraud alerts and security freezes through credit reporting agencies and the Federal Trade Commission.
State of Illinois cybersecurity rating report: https://www.rankiteo.com/company/state-of-illinois
"id": "STA1767411522",
"linkid": "state-of-illinois",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '705,017',
'industry': 'Public Sector / Healthcare',
'location': 'Illinois, USA',
'name': 'Illinois Department of Human Services',
'size': 'Large',
'type': 'Government Agency'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Notices being sent to affected individuals with '
'toll-free numbers for additional information. Credit '
'reporting agencies and FTC contact information '
'provided.',
'data_breach': {'data_exfiltration': 'No evidence of data exfiltration',
'file_types_exposed': 'Mapping data files',
'number_of_records_exposed': '705,017',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information and healthcare-related '
'data)',
'type_of_data_compromised': ['Names',
'Addresses',
'Case numbers',
'Case status',
'Referral source information',
'Region and office information',
'Demographic information',
'Medical assistance plan names']},
'date_detected': '2025-09-22',
'date_publicly_disclosed': '2025-09-22',
'description': 'The Illinois Department of Human Services (IDHS) is notifying '
'the public of a data security incident involving internal '
'planning maps that were mistakenly made public due to '
'incorrect privacy settings. The maps contained sensitive '
'information related to some individuals in the Division of '
'Rehabilitation Services and recipients of the Medicaid and '
'Medicare Savings Program.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': 'Yes',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Potential regulatory fines and legal actions',
'operational_impact': 'Notification process ongoing, policy '
'changes implemented',
'payment_information_risk': 'No',
'systems_affected': 'Public mapping website'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of proper privacy settings and secure handling '
'of sensitive data on public platforms. Need for stricter '
'internal policies regarding data uploads to third-party '
'services.',
'post_incident_analysis': {'corrective_actions': 'Implementation of new '
'Secure Map Policy, '
'immediate limitation of map '
'access, ongoing '
'notifications to affected '
'individuals',
'root_causes': 'Incorrect privacy settings on a '
'public mapping website leading to '
'unintended data exposure'},
'recommendations': ['Implement stricter access controls and privacy settings '
'for public-facing tools',
'Conduct regular audits of data shared on third-party '
'platforms',
'Enhance employee training on data security and privacy '
'best practices',
'Establish a dedicated incident response team for data '
'exposure incidents'],
'references': [{'date_accessed': '2025-09-22',
'source': 'Illinois Department of Human Services Public '
'Notice'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA '
'violations (if '
'applicable)',
'State data protection '
'laws'],
'regulatory_notifications': 'Not specified'},
'response': {'communication_strategy': 'Public disclosure, notices to '
'affected customers with toll-free '
'numbers for information',
'containment_measures': 'Immediate limitation of map access, '
'implementation of new secure map policy',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Ongoing notification to affected '
'individuals',
'remediation_measures': 'New Secure Map Policy prohibiting '
'upload of customer-level data to public '
'mapping websites'},
'stakeholder_advisories': 'Not specified',
'title': 'Illinois Department of Human Services Data Security Incident',
'type': 'Data Exposure',
'vulnerability_exploited': 'Incorrect privacy settings on a public mapping '
'website'}