• 5
  • Hospitals
  • 5
  • IL
  • 5
  • Illinois Department of Healthcare and Family Services, Illinois Department of Human Services

Illinois Department of Healthcare and Family Services, Illinois Department of Human Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) experienced a data breach involving their Application for Benefits Eligibility (ABE) system’s Provider Portal and Manage My Case (MMC) portal. The breach was first discovered on August 22, 2022, when it was found that individuals applying to become Provider Portal users could potentially access certain customer applications before they were approved users by clicking on certain buttons in a specific order while logged into their account. The information potentially accessed included names, genders, dates of birth, counties, application types, application statuses, Social Security numbers, addresses, benefits applied for, income information, and medical information[1].

In response to the incident, the ABE system Provider Portal was shut down on August 23, 2022, to fix the issue and was reopened on September 29, 2022. The Departments notified potentially affected individuals, the members of the Illinois General Assembly, and the Office of the Illinois Attorney General on October 21, 2022. They are providing one year of credit monitoring and a dedicated phone line for assistance regarding the incident[1].

Another incident was discovered on March 13, 2023, involving suspicious user accounts created within the ABE system’s MMC portal. These accounts were able to link to existing customer MMC accounts by providing the customer’s date of birth and Individual ID or Social Security Number and then correctly answering several identity proofing questions. The Departments believe that customer personal information had been stolen elsewhere and then used to access customer MMC accounts. The information that could have been viewed includes the client’s name, address, phone number, date of birth, recipient identification number, individual ID, Case ID, Social Security Number, benefits applied for and received, and income information[5].

The Departments deployed new software to stop the creation of more suspicious user accounts and de-linked the suspicious accounts from the customer accounts. They notified the potentially affected individuals, the members of the Illinois General Assembly, and the Office of the Illinois Attorney General on May 12, 2023. A dedicated phone line was provided for assistance and to answer customer questions about this incident[5].

The Illinois Attorney General’s Office has a dedicated email address for breach reporting, and Illinois law requires businesses and state government agencies that experience a data security breach to provide notice to the Illinois Attorney General’s Office in addition to providing breach notification to affected Illinois residents[2].

For further assistance and information about fraud alerts, credit freezes, or other identity theft resources, potentially affected individuals can contact consumer reporting agencies or the Federal Trade Commission[1][5].

Citations:

  1. https://www.illinois.gov/news/press-release.25599.html
  2. https://illinoisattorneygeneral.gov/Consumer-Protection/For-Businesses/Data-Breach/
  3. https://abc7chicago.com/vista-medical-center-east-illinois-department-of-public-health-waukegan-news/14386591/
  4. https://www.dhs.state.il.us/page.aspx?item=98456
  5. https://www.illinois.gov/news/press-release.26456.html
  6. https://www.myinjuryattorney.com/illinois-department-of-public-health-data-breach-investigation/
  7. https://www.illinois.gov
  8. https://www.propublica.org/article/illinois-crisis-institution-placement
  9. https://www.jdsupra.com/legalnews/illinois-department-of-public-health-1260107/
  10. https://ilaging.illinois.gov
  11. https://www.acf.hhs.gov/ocs/programs/liheap
  12. https://www.countryherald.com/news/local/illinois-data-breach-exposes-private-information-of-medicaid-snap-and-tanf-recipients/
  13. https://www.dailyherald.com
  14. https://www.teiss.co.uk/news/illinois-department-of-public-health-announces-major-breach-that-impacted-126k-individuals-12762
  15. https://ides.illinois.gov
  16. https://www.modernhealthcare.com/legal/illinois-medicaid-snap-beneficiaries-personal-information-leaked-data-breach
  17. https://www.aetnabetterhealth.com/illinois-medicaid/index.html
  18. https://www.databreaches.net/illinois-data-breach-exposes-private-information-of-medicaid-snap-and-tanf-recipients/
  19. https://www.hhs.gov
  20. https://www.sj-r.com/story/news/technology/2022/10/22/abe-assistance-portal-breached-illinois/69582737007/
  21. https://www.chicago.gov/city/en.html
Breach Submission Date May 12, 2023
Converted Entity Name Illinois Department of Healthcare and Family Services, Illinois Department of Human Services
Converted Entity Type Health Plan
State IL
Individuals Affected 50,839
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes