Support Rockford Scanner – Shop Amazon & Help the Cause!
Click below to shop – we earn a small commission on qualifying purchases at no extra cost to you.
Your support funds independent journalism, legal battles, and keeping RockfordScanner.com running strong.
Affiliate Disclosure: As an Amazon Associate, Rockford Scanner earns from qualifying purchases.
Illinois Department of Human Services Plagued by Repeated Data Breaches: FOIA Documents Expose Vulnerabilities Affecting Hundreds of Thousands
By Rockford Scanner Staff February 5, 2026 – Rockford, IL
Sources: James E Ferguson Jr & Freedom Of Information Act
In a revelation that underscores ongoing challenges in safeguarding sensitive personal information within Illinois' public welfare systems, newly released documents obtained through a Freedom of Information Act (FOIA) request paint a troubling picture of repeated data breaches at the Illinois Department of Human Services (IDHS).
The records, spanning from 2017 to 2025, detail incidents ranging from physical mishandling of files to sophisticated phishing attacks and prolonged online exposures of protected health information (PHI). These breaches have collectively impacted over 700,000 Illinois residents, including vulnerable populations reliant on Medicaid, Medicare Savings Programs, and rehabilitation services.
The documents were released by the Office of the Illinois Attorney General (OAG) in response to a FOIA request filed by Rockford resident James Earl Ferguson Jr. on January 20, 2026. Ferguson sought records from January 1, 2015, to the present concerning data exposures, internal investigations, HIPAA compliance reviews, notifications to affected individuals, and remedial actions—specifically referencing his own information and that of his dependents. After an initial denial and a subsequent review request from Ferguson on January 29, 2026, the OAG conducted a broader search.
In a February 5, 2026, letter signed by Assistant Attorney General James M. Gale, the office stated it found no records specifically identifying Ferguson or his family. However, it partially granted the request by providing redacted documents related to general data breaches, withholding only "private information" such as signatures under FOIA exemptions.
The released files, primarily breach notifications submitted by IDHS to the OAG under the Illinois Personal Information Protection Act (PIPA), highlight a pattern of systemic issues. From dumpster dives to digital misconfigurations, the incidents reveal gaps in employee training, system security, and third-party oversight. While IDHS has implemented corrective measures in each case, critics argue these reactive steps fail to address root causes, leaving residents—particularly in underserved areas like Rockford—at risk of identity theft, medical fraud, and privacy violations.
A Chronology of Breaches: From Physical Lapses to Digital Exposures
The earliest incident detailed in the FOIA response dates back to 2017, involving a contractor's egregious mishandling of physical records. On October 24, 2017, files belonging to 1,200 IDHS customers were discovered in an unsecured dumpster near a local office. These files, managed by United Chicago Services, Inc.—a provider contracted for employment services in IDHS's Family and Community Services (FCS) Division—contained sensitive customer information. IDHS's investigation concluded that the files were improperly removed from the provider's financial office and discarded. Although it's unknown if anyone viewed the contents, IDHS notified affected individuals on December 15, 2017, and pledged to enforce stricter record security protocols with the contractor. Patricia Brown, IDHS's Chief Privacy Officer at the time, emphasized in a December 21, 2017, letter to then-Attorney General Lisa Madigan that the agency would "take all action necessary" to prevent future occurrences.
Fast-forward to 2020, amid the height of the COVID-19 pandemic, when a coding error in the state's Integrated Eligibility System (IES) exposed data through its Application for Benefits Eligibility (ABE) component. Discovered on July 9, 2020, the breach affected 285 Illinois residents applying for Pandemic Supplemental Nutrition Assistance for Children Receiving Free or Reduced School Lunches (P-EBT). Due to the glitch, applications from 97 system users became viewable by others, potentially revealing names, addresses, telephone numbers, dates of birth, genders, school districts, school names, and Social Security Numbers (SSNs)—though SSNs were optional on the form.
The Illinois Department of Healthcare and Family Services (HFS) and the Department of Innovation and Technology (DoIT) collaborated with IDHS to shut down ABE immediately and remediate the issue. Notifications were mailed to affected individuals on July 31, 2020. In an August 11, 2020, joint report to Attorney General Kwame Raoul, IDHS Secretary Grace B. Hou and HFS Director Theresa Eagleson stressed the "paramount importance" of customer privacy, noting that the departments were "working together to ensure this does not happen again."
The pattern continued into 2025 with smaller but no less concerning breaches. On February 25, 2025, an IDHS employee fell victim to a phishing email from a hacked external account, granting a hacker brief access to their email inbox. The intruder set up rules to hide messages, sent additional phishing emails, and accessed inbox contents, compromising the medical information and SSNs of eight Illinois residents. Classified as a government agency breach, the incident was halted within an hour by DoIT, which revoked the hacker's access. Remedial actions included mandating multi-factor authentication (MFA) for all logins, disabling insecure web settings, implementing email filters, and adding real-time monitoring. Rachel Diamond, an Associate General Counsel for IDHS, reported the breach to the OAG and the U.S. Department of Health and Human Services (HHS) on May 5, 2025, with direct notices sent to affected residents on April 30, 2025.
Just weeks later, on March 11, 2025, a clerical error in the IES system led to a newborn's information being added to the wrong household case. A doctor's newborn report, submitted on February 19, 2025, contained incorrect case details, resulting in a Notice of Decision for Medicaid eligibility being mailed to the unintended recipient. The error was corrected swiftly after the incorrect household head notified IDHS, and the newborn was reassigned to the proper account. This breach affected only one resident's medical information. Diamond again handled the reporting, notifying affected parties on June 10, 2025, and HHS on June 25, 2025.
The most alarming revelation in the FOIA documents is a massive, long-term exposure discovered on September 22, 2025, affecting an estimated 705,017 Illinois residents. Six internal planning maps on the ESRI/ArcGIS platform had incorrect privacy settings, allowing public access from as early as April 2021. The maps exposed PHI from IDHS's Department of Rehabilitation Services (DRS) for 32,401 customers—including names, addresses, and medical referral data—starting in April 2021. Additionally, Medicaid and Medicare PHI for 672,616 individuals, such as addresses, case numbers, and plan information, was accessible from January 2022 onward.
IDHS responded by restricting access to authorized employees between September 22 and 26, 2025, conducting a comprehensive review, and enacting a new policy prohibiting customer data on public mapping sites. Thomas Mulcrone, IDHS's Deputy General Counsel, detailed these steps in the breach report, with notifications sent on January 8, 2026—the same day as the OAG's FOIA response. The breach, which ended on September 26, 2025, was not reported to law enforcement but was flagged to HHS on January 9, 2026.
Implications for Illinois Residents and Systemic Failures
These incidents collectively expose vulnerabilities in IDHS's handling of sensitive data, which serves millions through programs like Medicaid (covering over 3 million Illinoisans) and rehabilitation services for individuals with disabilities. Rockford, home to Ferguson and a significant number of low-income families reliant on these programs, has been particularly affected; local advocates note that breaches like the 2025 mapping exposure could disproportionately impact rural and urban underserved communities, where access to credit monitoring or legal recourse is limited.
Experts point to recurring themes: human error (phishing, misfiling), technical glitches (coding errors, privacy settings), and inadequate third-party oversight (the 2017 dumpster incident). While IDHS has consistently reported breaches to the OAG and HHS as required by PIPA and HIPAA, and implemented fixes like enhanced MFA and policy changes, the sheer scale—especially the 705,017 affected in the mapping breach—raises questions about proactive auditing and investment in cybersecurity. The OAG's FOIA response notes that no records of internal investigations, audits, or HIPAA reviews specific to Ferguson's request were found within their office, suggesting such documents may reside with IDHS itself.
Ferguson, in his January 29 review request, argued that the OAG's initial denial was "inconsistent with publicly acknowledged facts," referencing IDHS's admission of exposing over 700,000 residents' data from 2021 to 2025. His persistence led to the partial release, but the absence of personalized records leaves open whether his family's data was compromised in any of these events.
As Illinois grapples with digital transformation in public services, these FOIA documents serve as a stark reminder of the human cost of data insecurity. Residents affected by these breaches are encouraged to monitor their credit reports and contact IDHS's HIPAA office at
This story is based solely on the facts contained in the released FOIA documents. Rockford Scanner will continue monitoring for updates on data privacy in state agencies.
In the mood to read some creepy local stories?
CLICK HERE TO BE SCARED!
Enter at your own risk! 18+
Don't say we did not warn you...
😨
Support Rockford Scanner's Legal Battle ⚖️
Donations keep independent journalism alive and free.
Every dollar goes directly to legal fees, server costs, and rebuilding RockfordScanner.com as an unstoppable source of truth for Winnebago County!
Simple honesty, communication, and transparency
would eliminate misinformation and exaggeration.
Local police chose encryption and lies instead.
So nothing is ever truly confirmed...
Support Local Rockford Business!
Click to check out a great local shop
Support Rockford businesses!
Keep the Truth Coming – Donate Today
Help sustain free, independent reporting in Winnebago County.
Important Legal Disclaimer
The information provided on RockfordScanner.com is for entertainment purposes only and should not be considered as official news, legal advice, or verified reporting. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will RockfordScanner.com be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. This includes, but is not limited to, claims of slander, libel, defamation, or any other legal action stemming from the content published herein. All stories, updates, and reports are based on publicly available information, rumors, or user submissions and are not independently verified unless explicitly stated. RockfordScanner.com disclaims all liability for errors, omissions, or inaccuracies in the information provided.
Through this website, you may be able to link to other websites which are not under the control of RockfordScanner.com. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. We do use advertisers, editorials, anonymous user submissions, affiliate links, adsense, local sponsorships. Every effort is made to keep the website up and running smoothly; however, RockfordScanner.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control. Just hit the refresh button, it should resolve.
By using this site, you agree to these terms and acknowledge that RockfordScanner.com is an independent platform dedicated to community discussion and entertainment, not a professional news outlet. RockfordScanner posts news all types of stuff: weather, jokes, satire, parodies, educational, informational, and yes things are dynamic and police are encrypted and usually silent, so we have to go by user submitted information a lot of times so there might be an occasional incorrect information.
