Incorrect privacy settings left patient information publicly viewable for several years.
What happened
The Illinois Department of Human Services disclosed that personal information for more than 600,000 individuals was publicly accessible due to misconfigured privacy settings on internal mapping tools. According to NBC Chicago, several data maps used for planning and resource allocation were mistakenly made public between 2021 and 2025. The exposed information included names, addresses, case numbers, program participation status, and related administrative details. The issue affected clients of the Division of Rehabilitation Services as well as recipients of Medicaid and the Medicare Savings Program.
Going deeper
The agency said the data exposure stemmed from maps created to guide operational decisions, such as where to open offices or distribute services. More than 32,000 rehabilitation services clients had information available between April 2021 and September 2025. In addition, roughly 670,000 Medicaid and Medicare Savings Program recipients had addresses and demographic details available between January 2022 and September 2025. The mapping platform did not provide visibility into who viewed the data, and the department said it has not identified evidence of misuse. Once the issue was discovered on September 22, access was restricted to authorized staff, and a new policy was implemented to prevent uploading customer data to public mapping tools.
What was said
The Department of Human Services said it acted immediately after discovering the exposure by correcting privacy settings across all affected maps. The agency stated that it has implemented a secure mapping policy and is notifying individuals whose information may have been viewable. Notices will include contact information for individuals seeking additional details. Officials say that the exposure resulted from configuration errors rather than a cyberattack and that internal processes are being reviewed to prevent similar incidents.
The big picture
Configuration errors remain a persistent source of large-scale data exposures in government and healthcare systems. A 2024 analysis published by the National Institute of Standards and Technology identified misconfigured data access controls and unintended public exposure of internal datasets as persistent contributors to privacy and security incidents across public sector environments. NIST guidance advises that reducing long-term exposure risk requires strong governance over data sharing tools, regular access reviews, and the use of automated checks to detect and prevent misconfigurations before data is broadly exposed.
FAQs
Was this incident caused by hacking or ransomware?
No. The agency said the exposure resulted from incorrect privacy settings rather than an external cyber intrusion.
What type of information was involved?
The data included names, addresses, case numbers, program participation status, and administrative details related to state assistance programs.
Does the agency know who accessed the information?
No. The mapping platform did not track viewers, and the department said it cannot determine who may have seen the data.
What steps can organizations take to prevent similar exposures?
They can restrict use of public data tools, enforce access controls, conduct regular configuration reviews, and require approval before publishing datasets that include personal information.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
