Notice to the Media from Illinois Department of Human Services – Incident Involving Protected Health Information
FOR IMMEDIATE RELEASE
January 2, 2026
MEDIA CONTACT:
Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Human Services (IDHS) is notifying the media of a security incident involving internal planning maps.
On September 22, 2025, IDHS discovered that maps created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation on a mapping website were publicly viewable due to incorrect privacy settings. These maps were created to assist IDHS with resource allocation decisions, such as determining where to open new local offices, and were intended for internal IDHS use only.
The incident involves two categories of affected individuals:
Division of Rehabilitation Services (DRS) Customers: Approximately 32,401 DRS customers. The maps containing DRS customer information were publicly accessible from April 2021 through September 2025. The information involved includes: names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients.
Medicaid and Medicare Savings Program Recipients: Approximately 672,616 Medicaid and Medicare Savings Program recipients. The maps containing this information were publicly accessible from January 2022 through September 2025. The information involved includes: addresses, case numbers, demographic information, and the name of medical assistance plans (such as Medicaid, Medicare, etc.). The information did not include recipients’ names.
The mapping website was unable to identify who viewed the maps. To date, IDHS is unaware of any actual or attempted misuse of personal information as a result of this incident.
Upon discovering this incident, IDHS immediately changed the privacy settings on all maps between September 22, 2025, and September 26, 2025, to restrict access to only authorized IDHS employees. IDHS conducted a comprehensive review to determine the data contained in each map and assess reporting obligations under applicable State and federal privacy laws. IDHS has developed and implemented a Secure Map Policy that prohibits the uploading of any customer-level data to public mapping websites. Under this policy, no identifiable customer information may be uploaded, entered, or stored on public mapping platforms. Access to any customer-related maps is now restricted to authorized personnel based on role-specific needs.
IDHS is in the process of sending notice, as required by law, to the individuals affected by this incident and to all applicable regulatory authorities. IDHS is working to ensure that this does not happen again, as the privacy of customers is of paramount importance.
The individual notices being sent to affected customers will include toll-free numbers where customers can call for additional information. Credit reporting agencies and the Federal Trade Commission can also offer information about fraud alerts and security freezes and contact information for those organizations is being provided to the affected individuals.
