SPRINGFIELD, Ill. (Chambana Today) — The Illinois Department of Human Services (IDHS) has disclosed a security incident in which internal planning maps containing sensitive personal information were publicly accessible online due to incorrect privacy settings.
According to a notice released Thursday, the issue was discovered on Sept. 22, 2025, when IDHS learned that maps created by its Division of Family and Community Services’ Bureau of Planning and Evaluation were viewable on a public mapping website. The maps were intended for internal use only and were developed to support agency planning decisions, such as determining locations for new local offices.
The exposure affected two groups. Approximately 32,401 customers of the Division of Rehabilitation Services had personal information accessible between April 2021 and September 2025. The data included names, addresses, case numbers, case status, referral source information, regional and office details, and confirmation of participation in DRS programs.
In addition, about 672,616 Medicaid and Medicare Savings Program recipients were affected between January 2022 and September 2025. Information in those maps included addresses, case numbers, demographic details, and the names of medical assistance programs. Recipient names were not included in this second set of data.
IDHS said the mapping website could not determine who may have viewed the information. As of the release date, the agency reported no known instances of misuse or attempted misuse of the exposed data.
After discovering the issue, IDHS moved quickly to restrict access, correcting privacy settings on all affected maps between Sept. 22 and Sept. 26, 2025, limiting access to authorized employees only. The department also conducted a comprehensive review of the data involved to determine its reporting obligations under state and federal privacy laws.
The agency has since implemented a Secure Map Policy that prohibits uploading customer-level data to public mapping platforms. Under the new policy, no identifiable customer information may be stored on public mapping websites, and access to customer-related maps is now limited based on employees’ specific roles.
IDHS is in the process of notifying affected individuals, as required by law, as well as relevant regulatory authorities. Individual notices will include toll-free phone numbers for additional information and resources related to fraud alerts and security freezes through credit reporting agencies and the Federal Trade Commission.
The department emphasized that protecting customer privacy remains a top priority and stated it is taking steps to ensure a similar incident does not occur in the future.
