The Illinois Department of Human Services (IDHS) exposed personal information belonging to more than 700,000 state residents after inadvertently posting the data on the open internet where it remained for as long as four years before being taken down in September.

The agency learned in late September that personal data showing names, addresses and other information for more than 32,400 disabled customers were left on the open web after agency officials created planning maps on a mapping website to help direct resource allocations.

Around the same time, officials learned that addresses, public benefits status and other information belonging to 672,616 Medicaid and Medicare Savings Program recipients also were posted online.

The data exposed in the breach is protected health information under the Health Insurance Portability and Accountability Act (HIPAA). IDHS revealed the breach on January 2.

The information belonging to disabled customers of IDHS’s Division of Rehabilitation Services was publicly accessible from April 2021 through September 2025, the agency said in a press release.

Medicaid and Medicare Savings Program recipients’ data was publicly accessible from January 2022 through September 2025, the press release said.

Officials were unable to determine who viewed the maps, but say they do not know of any “attempted misuse” of the information. 

The agency has put in place a policy which prohibits staff from putting customer-level data into public mapping platforms moving forward, they said.

In December 2024, IDHS reportedly suffered a data breach that resulted from a phishing attack. In that case, 1.1 million residents’ sensitive data was exposed.