Illinois Department of Human Services reports yearslong data breach
[January 07, 2026]
By Peter Hancock
SPRINGFIELD – The Illinois Department of Human Services disclosed
recently that it mistakenly uploaded private health-related information
about hundreds of thousands of Illinoisans to a publicly accessible
website and left it there for more than three years before it discovered
the mistake.
But the agency would not explain this week why it took officials so long
to discover the problem or why officials waited more than three months
after it was discovered to notify the individuals affected and the news
media, as required by federal rules.
In a news release dated Friday, Jan. 2, IDHS said the data breach
involved two categories of individuals. One category included
approximately 32,401 customers of its Division of Rehabilitation
Services, which provides services to people with disabilities. The other
involved more than 672,000 recipients in the Medicaid and Medicare
Savings Program, which helps low-income Medicare beneficiaries pay for
premiums, deductibles and coinsurance.
In both cases, the agency said, information about individuals was
uploaded to a mapping website used by the agency’s Bureau of Planning
and Evaluation. The bureau used that site to create maps “to assist IDHS
with resource allocation decisions, such as determining where to open
new local offices,” according to the news release. It said the maps were
intended for internal use only.
However, according to the news release, due to “incorrect privacy
settings,” the maps and the information contained within them were
publicly viewable.
The maps containing information about Rehabilitation Services customers
were publicly accessible from April 2021 through September 2025 when the
flaw was discovered, the agency said. That included customers’ names,
addresses, case numbers, case status, referral source information,
region and office information and individuals’ status as DRS recipients.
The maps containing information about Medicare Savings Program
recipients were publicly accessible from January 2022 until September
2025. The information included addresses, case numbers, demographic
information and the names of individuals’ medical assistance plans such
as Medicaid and Medicare. The information did not include recipients’
names.
In both cases, IDHS said, the vulnerabilities were discovered on Sept.
22, 2025, at which point officials changed the privacy settings to
restrict access to only authorized IDHS employees. The agency said it
also conducted a “comprehensive review” to determine the type of data
contained in each map and assess its reporting obligations under state
and federal law.
[to top of second column]
|
Capitol News Illinois file photo
“IDHS has developed and implemented a Secure Map Policy that prohibits
the uploading of any customer-level data to public mapping websites,”
the agency said in its Jan. 2 news release. “Under this policy, no
identifiable customer information may be uploaded, entered, or stored on
public mapping platforms. Access to any customer-related maps is now
restricted to authorized personnel based on role-specific needs.”
Federal regulations
According to federal regulations under the Health Insurance Portability
and Accountability Act, or HIPAA, whenever a health plan, health care
clearinghouse or health care provider discovers an individual’s
protected health information has been breached, that entity is required
to notify the individual “without unreasonable delay and in no case
later than 60 calendar days after discovery of a breach.”
When a breach involves more than 500 residents of a state or
jurisdiction, the entities also are required to notify “prominent media
outlets” serving that area within 60 calendar days after discovery.
The news release announcing the two breaches at IDHS was issued 102 days
the agency said it discovered the breaches.
IDHS declined to answer directly when asked by Capitol News Illinois why
it took the agency more than three years to realize it was exposing
individuals’ protected health information on a public website and why,
after discovering the vulnerability, it took the agency more than 100
days to provide the legally required public notification.
“The privacy and security of IDHS customers and residents is an utmost
priority,” the agency said in an email. “Immediately upon learning of
the issue, IDHS moved to secure the relevant information and began
internal review and practices to prevent anything similar from happening
in the future.”
Capitol News Illinois is
a nonprofit, nonpartisan news service that distributes state government
coverage to hundreds of news outlets statewide. It is funded primarily
by the Illinois Press Foundation and the Robert R. McCormick Foundation.
 |
