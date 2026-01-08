IDHS accidentally exposed sensitive data of 700,000 people via publicly accessible maps

Data included addresses, case details, & medical assistance plan information

Access restricted in September 2025; affected individuals notified, but no credit monitoring offered

The Illinois Department of Human Services (IDHS) kept a database on the open internet, exposing sensitive data of 700,000 people to anyone who found it.

In a press release published on the agency’s website in early January, it was said that the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation, a division that helps plan programs for low-income and vulnerable families, created maps that were supposed to help with resource allocation decisions.

The maps were created to help IDHS “determine where to open new local offices and were intended for internal IDHS use only”. But, these maps were posted on the clearweb, and were thus accessible to all visitors.

Not exploited (yet)

The individuals affected by this incident can be split into two categories, IDHS explained: around 32,000 customers of the Division of Rehabilitation Services, and more than 670,000 Medicaid and Medicare Savings Program recipients.

For the first group, IDHS exposed names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients.

For the second one, exposed information includes addresses, case numbers, demographic information, and the name of medical assistance plans (such as Medicaid, Medicare, etc.). Anyone who believes they might be affected should be wary of identity theft and fraud.

Because of the way these maps were set up, and the data exposed, it is impossible to determine who viewed them and if any malicious actors exfiltrated the information found inside. However, IDHS claims it has seen no evidence of attempted misuse.

The mistake was spotted in late September 2025, and the agency responded by restricting access to authorized employees only. It is now notifying affected individuals and has set up a free number where customers can call for additional inquiries.

There was no word on any identity theft or credit monitoring services as of yet, although these are standard practice in these kinds of situations.

