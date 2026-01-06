SPRINGFIELD – The Illinois Department of Human Services disclosed recently that it mistakenly uploaded private health-related information about hundreds of thousands of Illinoisans to a publicly accessible website and left it there for more than three years before it discovered the mistake.

But the agency would not explain this week why it took officials so long to discover the problem or why officials waited more than three months after it was discovered to notify the individuals affected and the news media, as required by federal rules.

In a news release dated Friday, Jan. 2, IDHS said the data breach involved two categories of individuals. One category included about 32,401 customers of its Division of Rehabilitation Services, which provides services to people with disabilities. The other involved more than 672,000 recipients in the Medicaid and Medicare Savings Program, which helps low-income Medicare beneficiaries pay for premiums, deductibles and coinsurance.

In both cases, the agency said, information about individuals was uploaded to a mapping website used by the agency’s Bureau of Planning and Evaluation. The bureau used that site to create maps “to assist IDHS with resource allocation decisions, such as determining where to open new local offices,” according to the news release. It said the maps were intended for internal use only.

However, according to the news release, due to “incorrect privacy settings,” the maps and the information contained within them were publicly viewable.

The maps containing information about Rehabilitation Services customers were publicly accessible from April 2021 through September 2025 when the flaw was discovered, the agency said. That included customers’ names, addresses, case numbers, case status, referral source information, region and office information and individuals’ status as DRS recipients.

The maps containing information about Medicare Savings Program recipients were publicly accessible from January 2022 until September 2025. The information included addresses, case numbers, demographic information and the names of individuals’ medical assistance plans such as Medicaid and Medicare. The information did not include recipients’ names.

In both cases, IDHS said, the vulnerabilities were discovered on Sept. 22, 2025, at which point officials changed the privacy settings to restrict access to only authorized IDHS employees. The agency said it also conducted a “comprehensive review” to determine the type of data contained in each map and assess its reporting obligations under state and federal law.

“IDHS has developed and implemented a Secure Map Policy that prohibits the uploading of any customer-level data to public mapping websites,” the agency said in the release. “Under this policy, no identifiable customer information may be uploaded, entered, or stored on public mapping platforms. Access to any customer-related maps is now restricted to authorized personnel based on role-specific needs.”

Federal regulations

According to federal regulations under the Health Insurance Portability and Accountability Act, or HIPAA, whenever a health plan, health care clearinghouse or health care provider discovers an individual’s protected health information has been breached, that entity is required to notify the individual “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”

When a breach involves more than 500 residents of a state or jurisdiction, the entities also are required to notify “prominent media outlets” serving that area within 60 calendar days after discovery.

The news release announcing the two breaches at IDHS was issued 102 days the agency said it discovered the breaches.

IDHS declined to answer directly when asked by Capitol News Illinois why it took the agency more than three years to realize it was exposing individuals’ protected health information on a public website and why, after discovering the vulnerability, it took the agency more than 100 days to provide the legally required public notification.

“The privacy and security of IDHS customers and residents is an utmost priority,” the agency said in an email. “Immediately upon learning of the issue, IDHS moved to secure the relevant information and began internal review and practices to prevent anything similar from happening in the future.”