Overview
- IDHS disclosed that misconfigured privacy settings left internal planning maps publicly viewable for years, exposing customer-level information.
- About 672,616 Medicaid and Medicare Savings Program recipients had addresses, case numbers, demographics, and plan names exposed from January 2022 to September 2025, without names.
- Another 32,401 Division of Rehabilitation Services customers had names, addresses, case numbers, case status, and referral sources exposed from April 2021 to September 2025.
- IDHS says the mapping platform cannot identify who viewed the data and reports no known misuse to date.
- Following its September 2025 discovery, the agency locked down access by September 26, reviewed exposed maps, blocked uploads of identifiable data to public platforms, and reported the incident to regulators.