Executive Summary

The Illinois Department of Human Services (IDHS) experienced a significant data breach affecting approximately 700,000 individuals, including recipients of Medicaid, the Medicare Savings Program, and customers of the Division of Rehabilitation Services. The breach resulted from incorrect privacy settings on a mapping website used internally for resource allocation, which left sensitive data publicly accessible for extended periods—over three years in some cases. The exposed data included names, addresses, case numbers, case status, referral sources, demographic information, and medical assistance plan names, depending on the group. The breach was discovered on September 22, 2025, but public notification was delayed by 102 days, exceeding federal requirements for timely disclosure. There is no evidence of external threat actor involvement or malicious exploitation; the incident was caused by internal IT misconfiguration. The agency has since implemented new policies to prevent recurrence and is notifying affected individuals as required by law. This report provides a technical analysis of the incident, assesses the quality of available evidence, and offers prioritized recommendations for mitigation.

Technical Information

The IDHS data breach was the result of a misconfiguration on a mapping website used by the agency’s Bureau of Planning and Evaluation. This platform was intended for internal use to assist with resource allocation decisions, such as determining locations for new offices. However, due to incorrect privacy settings, sensitive data was inadvertently made publicly accessible for several years. The breach affected two main groups: approximately 32,401 customers of the Division of Rehabilitation Services and over 672,000 recipients of the Medicaid and Medicare Savings Program. The exposed data for the Division of Rehabilitation Services included names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients. For the Medicaid and Medicare Savings Program group, the exposed data included addresses, case numbers, demographic information, and the names of medical assistance plans, but not the recipients’ names.

The root cause of the incident was a failure to properly configure access controls on the mapping website, resulting in internal maps containing sensitive data being accessible to the public. The exposure persisted from April 2021 to September 2025 for the Division of Rehabilitation Services data, and from January 2022 to September 2025 for the Medicaid and Medicare Savings Program data. The breach was discovered on September 22, 2025, during an internal review. Upon discovery, IDHS restricted access to the affected maps to authorized personnel only, completing this process by September 26, 2025. The agency then conducted a comprehensive review to determine the types of data exposed and assess its legal obligations under state and federal law.

No evidence has been found to suggest that the data was accessed or misused by unauthorized parties. The mapping website did not have the capability to log or identify who may have viewed the exposed information. As of the latest reports, IDHS is unaware of any actual or attempted misuse of the personal information involved in the incident. The agency has since implemented a Secure Map Policy, which prohibits the uploading of any customer-level data to public mapping websites and restricts access to customer-related maps to authorized personnel based on role-specific needs.

This incident is consistent with a well-documented pattern of data breaches in the healthcare sector caused by IT misconfiguration, particularly involving cloud storage and web applications. Such breaches often result from inadequate change management processes, lack of formal review of security settings, and insufficient separation of duties during system configuration or upgrades. The IDHS breach is best mapped to the MITRE ATT&CK technique T1530 (Data from Cloud Storage), which describes the exposure of sensitive data due to misconfiguration or lack of access controls. There is no evidence of malware, external tools, or threat actor involvement in this case.

The delay in public notification—102 days after discovery—exceeded the 60-day requirement under the Health Insurance Portability and Accountability Act (HIPAA), raising potential compliance concerns and increasing regulatory scrutiny. The agency has stated that it is notifying affected individuals and relevant regulatory authorities as required by law.

Affected Versions & Timeline

The breach affected data managed by the IDHS Bureau of Planning and Evaluation, specifically maps created for internal resource allocation. The Division of Rehabilitation Services data was exposed from April 2021 through September 2025, while the Medicaid and Medicare Savings Program data was exposed from January 2022 through September 2025. The misconfiguration was discovered on September 22, 2025, and access to the exposed data was restricted by September 26, 2025. Public notification of the breach was issued on January 2, 2026, 102 days after discovery.

The affected data sets included information on approximately 32,401 Division of Rehabilitation Services customers and over 672,000 Medicaid and Medicare Savings Program recipients. The mapping website used by IDHS was not named in public disclosures, but it was confirmed to be a platform used for internal planning and evaluation purposes. The agency has since implemented a Secure Map Policy to prevent future incidents of this nature.

Threat Activity

There is no evidence of external threat actor activity, malware, or exploitation of vulnerabilities in this incident. The breach was caused by internal human error and IT misconfiguration, resulting in accidental data exposure. The mapping website did not have the capability to log or identify who may have accessed the exposed data, and IDHS has reported that it is unaware of any actual or attempted misuse of the information. The incident is consistent with a pattern of accidental data exposures in the healthcare sector, often resulting from misconfigured cloud storage or web applications.

The MITRE ATT&CK technique most relevant to this incident is T1530 (Data from Cloud Storage), which describes the exposure of sensitive data due to misconfiguration or lack of access controls. While the potential for follow-up techniques such as T1087 (Account Discovery) exists if adversaries had accessed the data, there is no evidence to suggest that this occurred in the IDHS case.

Mitigation & Workarounds

The following mitigation steps and workarounds are prioritized by severity:

Critical: Immediate implementation of strict access controls on all internal and external mapping and data storage platforms is essential. All customer-level data must be restricted to authorized personnel only, with access based on role-specific needs. Regular audits of access controls and privacy settings should be conducted to ensure compliance with internal policies and regulatory requirements.

High: A formal change management process must be established and enforced, including a checklist to verify that all required security configuration settings are implemented correctly. Separation of duties should be maintained, with one individual making configuration changes and another reviewing and verifying those changes. This reduces the risk of oversight and misconfiguration.

High: All staff involved in data management and IT configuration should receive regular training on data privacy, security best practices, and regulatory requirements such as HIPAA. This training should be updated to reflect lessons learned from the IDHS incident and similar breaches in the sector.

Medium: Implement monitoring and logging capabilities on all platforms handling sensitive data, including mapping and cloud storage websites. While the mapping website used in this incident did not have such capabilities, future platforms should be selected or configured to provide detailed access logs and alerts for unauthorized access attempts.

Medium: Conduct periodic reviews of all data uploaded to public or third-party platforms to ensure that no customer-level or sensitive information is exposed. Automated tools can assist in scanning for exposed data and misconfigurations.

Low: Review and update incident response and notification procedures to ensure compliance with federal and state requirements. Notification delays, as seen in this incident, can increase regulatory risk and erode public trust.

References

ABC7 Chicago, January 6, 2026: https://abc7chicago.com/post/illinois-department-human-services-reports-yearslong-data-breach-residents-private-health-related-information/18362578/

BleepingComputer, January 9, 2026: https://www.bleepingcomputer.com/news/security/illinois-department-of-human-services-data-breach-affects-700k-people/

BankInfoSecurity, January 9, 2026: https://www.bankinfosecurity.com/illinois-notifies-700000-misconfiguration-breach-a-30486

MITRE ATT&CK T1530: https://attack.mitre.org/techniques/T1530/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and mitigate risks associated with external vendors and internal IT processes. Our platform enables continuous monitoring of data handling practices, configuration management, and compliance with regulatory requirements. For organizations seeking to prevent incidents similar to the IDHS breach, Rescana’s capabilities support the implementation of robust access controls, automated configuration audits, and incident response readiness. We are available to answer any questions at ops@rescana.com.