Illinois Department of Human Services (IDHS) suffered a data breach that impacted 700K individuals

Illinois Department of Human Services (IDHS) exposed personal and health data of nearly 700,000 residents due to incorrect privacy settings.

The Illinois Department of Human Services (IDHS ) disclosed a data breach after misconfigured privacy settings exposed personal and health data of nearly 700,000 residents.

On September 22, 2025, IDHS discovered that internal maps meant for planning were publicly accessible due to misconfigured privacy settings.

“On September 22, 2025, IDHS discovered that maps created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation on a mapping website were publicly viewable due to incorrect privacy settings. These maps were created to assist IDHS with resource allocation decisions, such as determining where to open new local offices, and were intended for internal IDHS use only.” reads the press release published by IDHS.

About 32,401 Division of Rehabilitation Services (DRS) customers had sensitive details exposed (names, addresses, case numbers, referral sources, and recipient status) from April 2021 to September 2025. Additionally, 672,616 Medicaid and Medicare Savings Program recipients had addresses, case numbers, demographics, and plan names exposed from January 2022 to September 2025, though no names were included.

After discovering the public exposure of internal maps, IDHS immediately restricted access to authorized employees and conducted a full review of the data.

The association now uses a new Secure Map Policy that prohibits uploading identifiable customer information to public mapping sites, and access to maps is limited by role.

IDHS is notifying affected individuals and regulatory authorities. Impacted individuals will receive notices with toll-free numbers and information on fraud alerts and security freezes via credit agencies and the FTC.

In December 2024, threat actors used phishing to hack IDHS employee accounts, exposing personal data of over 1.1 million people.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Illinois Department of Human Services)