The Illinois Department of Human Services disclosed Friday that sensitive information tied to hundreds of thousands of Illinois residents enrolled in Medicaid, Medicare savings programs, and state disability services was publicly accessible online for years due to incorrect privacy settings on internal planning maps. This state discloses a significant breach in data security.

According to the agency, the data exposure involved mapping tools used internally to help determine where to locate offices and allocate resources. Because of a configuration error on a public mapping website, the maps were viewable by anyone with access to the site, though IDHS says it cannot determine who may have seen or accessed the information. This incident highlights how the state discloses vulnerabilities in data management.

The incident affects two major groups. More than 32,000 customers of the Division of Rehabilitation Services—many of whom receive disability-related services—had personal information including names, addresses, case numbers, case status, referral source information, and regional office data exposed. Those maps were publicly accessible from April 2021 through September 2025, and the state discloses the gravity of this situation.

In addition, approximately 672,000 Medicaid and Medicare Savings Program recipients had information tied to their cases exposed on similar maps from January 2022 through September 2025. That data included addresses, case numbers, demographic information, and the names of medical assistance programs, though IDHS said it did not include recipients’ names.

Altogether, the exposure affected more than 700,000 Illinois residents.

IDHS said it discovered the issue on September 22, 2025, and restricted access to the maps between September 22 and September 26, limiting them to authorized employees. The agency then conducted a review to determine what information appeared on each map and what reporting obligations applied under state and federal privacy laws, including the Health Insurance Portability and Accountability Act.

The agency said it is unaware of any confirmed misuse of the information and that the mapping platform could not identify who viewed the maps while they were publicly accessible. Nevertheless, IDHS acknowledged the seriousness of the lapse and said it has adopted a new Secure Map Policy that prohibits uploading customer-level data to public mapping platforms. Under the policy, any maps involving customer information are now restricted based on role-specific authorization.

As required by law, IDHS is in the process of notifying affected individuals directly and alerting regulatory authorities. The notices sent to residents will include toll-free numbers for additional information, as well as guidance on contacting credit reporting agencies and the Federal Trade Commission to learn more about fraud alerts and security freezes.

Advocates for low-income residents and people with disabilities have long raised concerns about how government agencies safeguard sensitive data, particularly when outside vendors or third-party platforms are used. While IDHS emphasized that the maps were intended solely for internal planning purposes and not for public use, the disclosure raises broader questions about oversight, auditing, and how long such errors can go undetected.

The agency said protecting customer privacy remains a top priority and that steps have been taken to ensure similar incidents do not occur again. Additional details, including how the error went unnoticed for several years and whether any external audits reviewed the mapping tools during that time, were not addressed in the initial disclosure.

IDHS officials are expected to provide further information in response to media inquiries, and any updates will be incorporated into a print version of this story next week in the Chicago Crusader Newspaper.