The personal information of more than 670,000 Illinois residents may have been publicly accessible online for several years, the Illinois Department of Human Services said Friday.
The department discovered Sept. 22 that maps created by one of its divisions on a mapping website were “publicly viewable due to incorrect privacy settings,” according to a notice shared with the media Friday. The maps were intended for the department’s internal use to help it make decisions about where to allocate resources, such as where to open new local offices.
Those maps included the personal information of 32,401 customers with the department’s Division of Rehabilitation Services, as well as information of 672,616 people who were Medicaid and Medicare Savings Program recipients. The Medicare Savings Program is a state Medicaid program that helps people pay for Medicare premiums and other costs.
Personal information of Division of Rehabilitation Services customers included names, addresses, case numbers and case statuses, and was publicly accessible from April 2021 through September 2025.
Exposed information of Medicaid and Medicare Savings Program recipients included addresses, case numbers, demographic information and the names of medical assistance plans but not individual patients’ names, and the information was publicly viewable from January 2022 through September 2025.
The department was unable to identify who may have viewed the maps, but said in its notice that it’s not aware of any misuse of the personal information.
The department changed the privacy settings on the maps, when it discovered the issue, so only authorized employees could see them. The department has also implemented a policy prohibiting customer data from being uploaded to public mapping websites.
The department is in the process notifying affected individuals, according to the media notice.
“IDHS is working to ensure that this does not happen again, as the privacy of customers is of paramount importance,” the department said in the notice.
The Health Insurance Portability and Accountability Act requires many types of organizations to report breaches of protected health information involving 500 or more individuals to the U.S. Department of Health and Human Services’ Office for Civil Rights.
