The Illinois Department of Human Services (IDHS), one of the largest state agencies in Illinois, has disclosed an accidental exposure of personal and health-related data affecting nearly 700,000 residents. The incident resulted from improperly configured privacy settings on an external mapping platform.
IDHS identified the issue on September 22 after determining that maps created by the Division of Family and Community Services were publicly accessible. These maps were developed to
support internal resource planning decisions such as office location analysis but were unintentionally made visible online due to misconfigured access controls.
The maps remained publicly available for several years before the exposure was detected. As a result, two separate groups of residents were impacted. Approximately 672,616 individuals enrolled in Medicaid and the Medicare Savings Program had sensitive information exposed between January 2022 and September 2025. The data included residential addresses, case identification numbers, demographic information, and medical assistance plan names, though individual names were not disclosed.
A second group consisting of 32,401 Division of Rehabilitation Services clients experienced exposure of more detailed records between April 2021 and September 2025. The affected information included names, addresses, case numbers, case status details, and referral sources.
In a statement, IDHS confirmed that the maps created by the Bureau of Planning and Evaluation were publicly viewable on a mapping website due to incorrect privacy configurations. The agency noted that the platform could not determine who accessed the maps and reported no evidence of actual or attempted misuse of the exposed data.
Following discovery of the issue, IDHS restricted map access to authorized personnel, completing the process by September 26. The agency also conducted a comprehensive review of all affected maps and implemented controls to prevent the upload of identifiable customer data to public mapping services.
IDHS is notifying impacted individuals in accordance with federal health privacy regulations and has reported the incident to appropriate regulatory bodies.
This incident follows a previously disclosed breach in December 2024, when a phishing attack compromised multiple employee accounts and led to unauthorized access to the personal information of more than 1.1 million individuals.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
