Within two weeks of each other, the Department of Human Services (DHS) for two separate states have announced data security incidents. 

The first was revealed by the Illinois DHS, or IDHS, on Jan. 2, 2026, although the incident itself was discovered on Sep. 22, 2025. Maps created by the department’s Division of Family and Community Services’ Bureau of Planning and Evaluation were found to be publicly viewable in result of incorrect privacy settings. These were intended for internal use only. 

According to the IDHS, the data leak may impact the two following categories: 

• Division of Rehabilitation Services (DRS) Customers: The data of approximately 32,401 individuals were impacted, involving information such as “names, addresses, case numbers, case status, referral source information, region and office information, and status as DRS recipients.” 
• Medicaid and Medicare Savings Program Recipients: 672,616 individuals were estimated to be impacted, including “addresses, case numbers, demographic information, and the name of medical assistance plans (such as Medicaid, Medicare, etc.).” However, names were not exposed. 

In total, the IDHS data leak approximates 700,000 residents affected. 

At this time, IDHS is unable to identify who viewed the maps. Likewise, it is unknown if any personal information has been misused as a result of this exposure. 

The second DHS incident impacts residents of Minnesota. This incident was announced on Jan. 16, 2026 and directly impacted FEI Systems (FEI), the managing organization of one of the department’s systems (called MnCHOICES). FEI discovered the security event on Nov. 18, 2025, and reported its findings to the department the following day. 

According to a notice sent out by the department, “a user affiliated with a licensed health care provider accessed data in the MnCHOICES system without authorization. While FEI confirmed the user was authorized to access limited data in the system, the user accessed more data than was reasonably necessary to perform work assignments.” Exposed data includes “first name, last name, alternative names, address, email addresses, sex, date of birth, phone number, Medicaid ID, the last four digits of your social security number, ethnicity, race, birth record, physical traits, education, income, benefits, Medicaid information, financial eligibility, program eligibility, lock-in data, and spenddown data.” 

303,965 individuals’ were impacted by this event. In combination with the IDHS event, this totals approximately 1 million people affected. 

The exposure of such personally identifiable information (PII) could potentially leave people vulnerable to phishing schemes, social engineering attacks and other targeted cybercrimes.