The Illinois Department of Human Services (IDHS) exposed sensitive personal data of more than 700,000 state residents for approximately four years, from April 2021 to September 2025. On September 22, 2025, IDHS discovered that an internal resource planning/mapping website had been publicly accessible due to misconfigured privacy settings. Two groups were affected: (1) 672,616 Medicaid and Medicare Savings Program recipients — addresses, case numbers, and demographic data (names not included); (2) 32,401 Division of Rehabilitation Services recipients — names, addresses, case statuses, and service details. IDHS immediately secured the website, notified HHS Office for Civil Rights, and mailed notification letters. IDHS was unable to determine who viewed the maps; no evidence of misuse was identified.