Illinois Department of Human Services Data Leak Exposes Personal Information of Over 700,000 Medicaid and Medicare Recipients

The Illinois Department of Human Services (IDHS) announced on Friday that improperly configured privacy settings allowed publicly accessible maps to reveal the names and addresses of thousands of its clients. The leak, which affected data for more than 32,000 patients served by the IDHS Division of Rehabilitation Services and over 670,000 Medicaid and Medicare Savings Program recipients, persisted between 2021 and 2025. The vulnerable maps were used by IDHS to support operational decisions—such as determining where to open new offices or allocate resources. However, between April 2021 and September 2025, the maps exposed sensitive information including client names, addresses, case numbers, case status, referral source, and regional office details. For Medicare Savings Program recipients, demographic data and the names of medical assistance plans were also publicly visible. IDHS said that the website used for mapping does not record who viewed the maps, and it remains unaware of any misuse of the data. The breach was identified on September 22, and the agency immediately changed the privacy settings on all maps, restricting access to authorized employees only. In response, IDHS has implemented a new secure‑map policy that prohibits the uploading of customer data to public mapping platforms. The agency is also preparing to send notification letters to every individual whose information was exposed, including a designated phone number for inquiries. The incident underscores the importance of stringent access controls for geospatial data containing personal information. IDHS’s swift remediation and transparent communication aim to restore trust and safeguard client privacy in future use of mapping tools.