Illinois lawmaker questions IDHS over years-long data breach

By Catrina Barker | The Center Square contributor
The Center Square

(The Center Square) – An Illinois lawmaker slammed the state agency as “incompetent” after the Department of Human Services revealed it had accidentally exposed private health information of hundreds of thousands of residents on a public website and left it accessible for more than three years before discovering the breach.

State Sen. Terri Bryant, R-Murphysboro, said the breach, and the agency’s delayed public notification, follows a troubling pattern of data security failures across multiple state agencies under the Pritzker administration.

“This isn’t the first data breach,” Bryant told TCS. “What’s alarming is how long this information was publicly accessible and how long it took for people to be notified after the problem was discovered.”

IDHS said incorrect privacy settings exposed protected health information for more than 700,000 Illinois residents on an internal mapping website from 2021 until September 2025.

Although federal law requires public notification within 60 days, the agency waited 102 days to disclose the breach, a delay Bryant called legally and ethically troubling.

“IDHS is working to ensure that this does not happen again, as the privacy of customers is of paramount importance,” IDHS said in a recent news release.

“Federal law is clear. People are supposed to be notified within 60 days,” she said. “They discovered this in September, and here we are in January. To my knowledge, those notifications were not made on time, and the agency still won’t explain why.”

Bryant questioned whether contractors played a role in the breach, noting the exposed data overlaps with a period during the COVID-19 pandemic when the state awarded no-bid contracts to manage agency operations.

“There was a no-bid contract during COVID worth $21 to $22 million awarded to Deloitte to manage [the Illinois Department of Employment Security],” Bryant said. “I want to know whether this breach happened while contractors were involved or whether this was purely an internal failure. Either answer is bad, but the public deserves to know which it is.”

During COVID-19, Deloitte managed Illinois’ Pandemic Unemployment Assistance system, which experienced major data breaches that exposed personal information and led to lawsuits and settlements.

Bryant said repeated breaches across state agencies point to systemic failures rather than isolated mistakes.

“If this is really about something as simple as incorrect privacy settings, that’s even more concerning,” she said. “This is extremely sensitive information, financial data and medical information. There should be safeguards in place, and there should be someone clearly responsible for making sure those safeguards work.”

Bryant also highlighted the April 2021 ransomware attack on the Illinois Attorney General’s office, which exposed names, addresses, and Social Security numbers of potentially millions of residents after hackers using DoppelPaymer malware posted data when ransom demands failed, forcing the state to spend heavily on cybersecurity recovery and forensic audits.

She compared the current situation to an incident she witnessed decades ago while working for the Illinois Department of Corrections, when a far smaller exposure of sensitive information prompted immediate notification and serious disciplinary action.

“That situation was handled quickly, efficiently and transparently,” Bryant said. “That’s not what we’re seeing today.”

Bryant said affected individuals should, at a minimum, receive free credit monitoring, adding that similar measures were taken following previous breaches at state agencies.

“The taxpayers are probably going to end up footing the bill again,” she said. “That’s unacceptable when these breaches are preventable.”

IDHS said it has since implemented a new Secure Map Policy that prohibits uploading any customer-level data to public mapping websites and restricts access to authorized personnel.

Bryant said Republican senators plan to raise the issue during leadership meetings and push for answers, though she acknowledged that Democrats control the General Assembly.

“We’re in a super minority, so we don’t get to set hearings,” she said. “But we will be asking why people weren’t notified, what’s being done now, and how the state plans to make sure this never happens again.”

TCS asked IDHS why it took over three years to discover the breach, why notification took more than 100 days, whether a contractor was responsible, if the agency will compensate affected residents, and how it plans to respond to Republican senators pushing for answers. IDHS did not immediately respond.