CHAMPAIGN, Ill. (Chambana Today) — On Friday, the Illinois Department of Human Services (IDHS) shared a public notice after it learned that a security incident involving internal planning maps resulted in protected health information being made public.
The notice is pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414.
On September 22 of last year, IDHS discovered that maps created by its Division of Family and Community Services’ Bureau of Planning and Evaluation on a mapping website were publicly viewable due to incorrect privacy settings. The maps were created to assist IDHS with resource allocation decisions, and were intended for IDHS use only.
The incident involves two categories of affected individuals:
Division of Rehabilitation Services (DRS) Customers: Approximately 32,401 DRS customers. The maps containing DRS customer information were publicly accessible from April 2021 through September 2025. The information involved includes: names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients.
Medicaid and Medicare Savings Program Recipients: Approximately 672,616 Medicaid and Medicare Savings Program recipients. The maps containing this information were publicly accessible from January 2022 through September 2025. The information involved includes: addresses, case numbers, demographic information, and the name of medical assistance plans (such as Medicaid, Medicare, etc.). The information did not include recipients’ names.
The mapping website was unable to identify who viewed the maps. To date, IDHS is unaware of any actual or attempted misuse of personal information as a result of this incident.
Upon discovering this incident, IDHS immediately changed the privacy settings on all maps between September 22, 2025, and September 26, 2025, to restrict access to only authorized IDHS employees. A comprehensive review to determine the data contained in each map and assess reporting obligations under applicable State and federal privacy laws was conducted. IDHS has developed and implemented a Secure Map Policy that prohibits the uploading of any customer-level data to public mapping websites. Under this new policy, no identifiable customer information may be uploaded, entered, or stored on public mapping platforms. Access to any customer-related maps is now restricted to authorized personnel based on role-specific needs.
IDHS is in the process of sending notice, as required by law, to the individuals affected by this incident and to all applicable regulatory authorities. It is working to ensure that this does not happen again, as the privacy of customers is of paramount importance.
The individual notices being sent to affected customers will include toll-free numbers where customers can call for additional information. Credit reporting agencies and the Federal Trade Commission can also offer information about fraud alerts and security freezes and contact information for those organizations is being provided to the affected individuals.
