Personal data on over 700,000 exposed by Illinois government agency

News
By published

A human mistake resulted in a major data leak

Data leak
(Image credit: Shutterstock)
  • IDHS accidentally exposed sensitive data of 700,000 people via publicly accessible maps
  • Data included addresses, case details, & medical assistance plan information
  • Access restricted in September 2025; affected individuals notified, but no credit monitoring offered

The Illinois Department of Human Services (IDHS) kept a database on the open internet, exposing sensitive data of 700,000 people to anyone who found it.

In a press release published on the agency’s website in early January, it was said that the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation, a division that helps plan programs for low-income and vulnerable families, created maps that were supposed to help with resource allocation decisions.

The maps were created to help IDHS “determine where to open new local offices and were intended for internal IDHS use only”. But, these maps were posted on the clearweb, and were thus accessible to all visitors.

Not exploited (yet)

The individuals affected by this incident can be split into two categories, IDHS explained: around 32,000 customers of the Division of Rehabilitation Services, and more than 670,000 Medicaid and Medicare Savings Program recipients.

For the first group, IDHS exposed names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients.

For the second one, exposed information includes addresses, case numbers, demographic information, and the name of medical assistance plans (such as Medicaid, Medicare, etc.). Anyone who believes they might be affected should be wary of identity theft and fraud.

Because of the way these maps were set up, and the data exposed, it is impossible to determine who viewed them and if any malicious actors exfiltrated the information found inside. However, IDHS claims it has seen no evidence of attempted misuse.

The mistake was spotted in late September 2025, and the agency responded by restricting access to authorized employees only. It is now notifying affected individuals and has set up a free number where customers can call for additional inquiries.

There was no word on any identity theft or credit monitoring services as of yet, although these are standard practice in these kinds of situations.

Via The Record

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.