Illinois Department of Human Services privacy breach exposes more than 4,500 Social Security numbers

CHICAGO — The Illinois Department of Human Services (IDHS) announced Friday that it suffered a privacy breach earlier this year, which exposed the information of thousands of customers.

According to the IDHS, the incident occurred on April 25 after an outside entity, through a phishing campaign, was able to gain access to the accounts of several employees and the files associated with the accounts, which included the Social Security numbers (SSN) of 4,701 customers and three employees.

Alongside the Social Security numbers, public assistance account information for 1,118,993 customers, which did not include any SSNs, was also accessed.

The public assistance account information included names, public assistance account numbers, and some combination of addresses, dates of birth, Illinois State Board of Education Student Information System ID numbers, Recipient Identification Numbers and cell phone numbers.

IDHS notified the Illinois Department of Innovation and Technology (DoIT) about the breach on May 3, and determined that it was a reportable breach of security under the Personal Information Protection Act (PIPA).

Under PIPA, the IDHS was required to notify all individuals who were affected and sent out substitute notices for the 1,118,993 customers whose public assistance account information was accessed as well as written notices to 2,918 customers whose SSNs.

The IDHS said 1,783 individuals whose addresses were not on file would be considered notified through a media release and a website posting.

IDHS said it continues to train its employees on how to avoid and report phishing attempts.