Illinois lawmaker questions IDHS over years-long data breach
[January 20, 2026]
By Catrina Barker | The Center Square contributor
(The Center Square) – An Illinois lawmaker slammed the state agency as
“incompetent” after the Department of Human Services revealed it had
accidentally exposed private health information of hundreds of thousands
of residents on a public website and left it accessible for more than
three years before discovering the breach.
State Sen. Terri Bryant, R-Murphysboro, said the breach, and the
agency’s delayed public notification, follows a troubling pattern of
data security failures across multiple state agencies under the Pritzker
administration.
“This isn’t the first data breach,” Bryant told TCS. “What’s alarming is
how long this information was publicly accessible and how long it took
for people to be notified after the problem was discovered.”
IDHS said incorrect privacy settings exposed protected health
information for more than 700,000 Illinois residents on an internal
mapping website from 2021 until September 2025.
Although federal law requires public notification within 60 days, the
agency waited 102 days to disclose the breach, a delay Bryant called
legally and ethically troubling.
“IDHS is working to ensure that this does not happen again, as the
privacy of customers is of paramount importance,” IDHS said in a recent
news release.
“Federal law is clear. People are supposed to be notified within 60
days,” she said. “They discovered this in September, and here we are in
January. To my knowledge, those notifications were not made on time, and
the agency still won’t explain why.”
Bryant questioned whether contractors played a role in the breach,
noting the exposed data overlaps with a period during the COVID-19
pandemic when the state awarded no-bid contracts to manage agency
operations.
“There was a no-bid contract during COVID worth $21 to $22 million
awarded to Deloitte to manage [the Illinois Department of Employment
Security],” Bryant said. “I want to know whether this breach happened
while contractors were involved or whether this was purely an internal
failure. Either answer is bad, but the public deserves to know which it
is.”
During COVID-19, Deloitte managed Illinois’ Pandemic Unemployment
Assistance system, which experienced major data breaches that exposed
personal information and led to lawsuits and settlements.
Bryant said repeated breaches across state agencies point to systemic
failures rather than isolated mistakes.
[to top of second column]
|
“If this is really about something as simple as incorrect privacy
settings, that’s even more concerning,” she said. “This is extremely
sensitive information, financial data and medical information. There
should be safeguards in place, and there should be someone clearly
responsible for making sure those safeguards work.”
Bryant also highlighted the April 2021 ransomware attack on the
Illinois Attorney General’s office, which exposed names, addresses,
and Social Security numbers of potentially millions of residents
after hackers using DoppelPaymer malware posted data when ransom
demands failed, forcing the state to spend heavily on cybersecurity
recovery and forensic audits.
She compared the current situation to an incident she witnessed
decades ago while working for the Illinois Department of
Corrections, when a far smaller exposure of sensitive information
prompted immediate notification and serious disciplinary action.
“That situation was handled quickly, efficiently and transparently,”
Bryant said. “That’s not what we’re seeing today.”
Bryant said affected individuals should, at a minimum, receive free
credit monitoring, adding that similar measures were taken following
previous breaches at state agencies.
“The taxpayers are probably going to end up footing the bill again,”
she said. “That’s unacceptable when these breaches are preventable.”
IDHS said it has since implemented a new Secure Map Policy that
prohibits uploading any customer-level data to public mapping
websites and restricts access to authorized personnel.
Bryant said Republican senators plan to raise the issue during
leadership meetings and push for answers, though she acknowledged
that Democrats control the General Assembly.
“We’re in a super minority, so we don’t get to set hearings,” she
said. “But we will be asking why people weren’t notified, what’s
being done now, and how the state plans to make sure this never
happens again.”
TCS asked IDHS why it took over three years to discover the breach,
why notification took more than 100 days, whether a contractor was
responsible, if the agency will compensate affected residents, and
how it plans to respond to Republican senators pushing for answers.
IDHS did not immediately respond.
All contents © copyright 2026 Associated Press. All rights reserved |
