Illinois Health Department Exposed Over 700,000 Residents' Personal Data For Years

Illinois Department of Human Services disclosed that a misconfigured internal mapping website exposed sensitive personal data for more than 700,000 Illinois residents for over four years, from April 2021 to September 2025. Officials say they can't confirm whether the publicly accessible data was ever viewed. TechCrunch reports: Officials said the exposed data included personal information on 672,616 individuals who are Medicaid and Medicare Savings Program recipients. The data included their addresses, case numbers, and demographic data -- but not individuals' names. The exposed data also included names, addresses, case statuses, and other information relating to 32,401 individuals in receipt of services from the department's Division of Rehabilitation Services.

Lowest bidder

[DrMrLordX]

I can only imagine what cut-rate firm won the bid for this project. Might be someone's cousin or buddy. Since it's Illinois, anything is possible.

Criminal Negligence

[gweihir]

By now, crap like that should routinely count as criminal negligence, make the ones responsible liable for any and all damage and get them personally punished. We need to treat negligence of this type as a criminal act or nothing will ever change.

Nice theory but hard to enact

[Bruce66423]

The nature of such breaches means that pinning the blame on an individual is seldom legitimate. Specifically this is likely to result in competent people refusing the responsibility because they know that they can't be sure it's secure. Also as technology changes, what was completely reasonable suddenly ceases to be. We need a more imaginative approach - probably requiring mandatory regular penetration testing. Unfortunately this will be hard to sell to legislators who will need to add laws to achieve it.

Re:

[gweihir]

And yet, personal criminal liability is the standard for many things in civil engineering, electrical engineering, etc.

You should also notice that personal liability only comes into effect on simple negligence, like not following the state-of-the-art or doing things cheaper than possible. Do things right and you are not at fault. In that case, professional insurance or organizational insurance will pay.

The bottom-line is that amateur hour must finally be over in IT. It has lasted far too long.

Re: Nice theory but hard to enact

[fluffernutter]

Hiring competent staff is not even on the radar for these companies. They would rather develop an entirely new language than teach people how to handle memory properly. They are too addicted to the very lowest pay which gets you the worst people, then those people need training wheels to proceed.

Re:

[gweihir]

Indeed. And that is why regulation and laws must make them do it. The same happened to any other engineering discipline at some time.

Re:

[fluffernutter]

But that won't happen with this administration. No one there understands the issue or wants to get in the way of any company's profit.

Re:

[gweihir]

Who said it has to happen in the US? The US can be, as usual in regulation that makes sense, be the one dragged into it late, kicking and screaming.

Helpful and informative

[Bruce66423]

How we get there is another matter given who would be opposed to it, but the direction of travel is good.

Re:

[PleaseThink]

All we need is standard software security controls just like we have building codes. Building codes aren't perfect. When better ways of doing things come around those codes are updated. Cities/States across the country then adopt those news codes within a few years. Buildings built before the new codes only need to be updated if related parts of those buildings are modified.

All that can easily apply to software too. If you're continually releasing a product then you have to keep it updated with the lat

Re:

[newbie_fantod]

State run health services are chronically underfunded. There's a big difference between a company owned by a multi-billionaire not paying for good user security and an impoverished public health service being unable to afford it.

Re:

[gweihir]

No. There is no difference. The protection goal is clear. It must be reached or the data mist not be stored there.

Your data is out there

[Tony Isaac]

It's probably included in dozens of breaches by now. If you think your data hasn't been leaked, you are misleading yourself.

Typical government nonsense

[Murdoch5]

The first major point, why can't they tell if the data was accessed? Won't the web server record a log that the path was accessed, by user agent and IP? For instance, if I look at access.log from one of my web servers I get:

172.105.24.10 - - [09/Jan/2026:15:22:20 -0500] “GET / HTTP/1.1” 200 1114 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 18_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML”

So in the very least, they should be able to see if the data was visited. Granted, you can mask the IP with a VPN or other technology, so the IP isn't really reliable, but that would let you know if it was accessed at all.

Why do governments, Canada is terrible for this, claim the