Illinois Health Department Exposed Personal Data of Over 700,000 Residents

The health department for the U.S. state of Illinois has acknowledged that a prolonged security failure left the personal data of more than 700,000 residents publicly accessible for several years.

In a statement released on January 2, the Illinois Department of Human Services (IDHS) said an internal mapping website used by staff to help guide the distribution of state resources was mistakenly exposed to the public internet. According to the department, the site was viewable from April 2021 until September 2025, when the issue was identified and addressed.

IDHS said the exposed information included records related to 672,616 individuals enrolled in Medicaid and the Medicare Savings Program. The data associated with those individuals included home addresses, case identification numbers, and demographic details, but did not include names.

The department also disclosed that information belonging to 32,401 people receiving services through its Division of Rehabilitation Services was exposed. In those cases, the data included names, addresses, case statuses, and additional service-related information.

Officials said they were unable to determine whether the publicly accessible maps were viewed or accessed by unauthorised parties during the roughly four-year period they were available online.

IDHS did not provide further details on how the mapping site was exposed or on the steps, beyond taking it offline, that are being implemented to prevent similar incidents in the future.