Notice to the Media - Incident Involving Protected Health Information

SPRINGFIELD - Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, and the Illinois Personal Information Protection Act, 815 ILCS 530/12, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively, the Departments) are notifying the media of an incident within the State of Illinois Application for Benefits Eligibility (ABE) system's Provider Portal.

The ABE system is the eligibility system for State-funded medical benefits programs (Medicaid), the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). The Provider Portal within ABE enables Medicaid providers to submit benefit applications for individuals online, with their consent. On August 22, 2022, the State discovered an issue embedded within ABE's Provider Portal. Upon investigation, the Departments discovered that individuals who applied to become Provider Portal users potentially could see certain customer applications, before they were approved users, if they clicked on certain buttons in a specific order that was different from the displayed instructions while logged into their account. This means that benefit applications that were submitted through the Provider Portal prior to August 23, 2022, potentially could have been accessed by users who went to the Provider Portal and went through the provider application process. The information that potentially could have been accessed included applicant name, gender, date of birth, county, application type, and application status. In some instances, additional information about the applicant, as well as other individuals included in the application for benefits, could have been viewed and could include any of the following: Social Security number, address, benefits applied for, income information, and medical information. To date, we do not know of any actual or attempted misuse of anyone's personal information as a result of this incident and information indicates the risk of access or misuse is low. The Departments do not have a basis to think many people were adversely impacted.

In response to this incident, as soon as the issue was discovered, the Departments shut down the ABE system Provider Portal on August 23, 2022, to fix the issue. The system was reopened on September 29, 2022.

The Departments notified the potentially affected individuals, the members of the Illinois General Assembly and the Office of the Illinois Attorney General on October 21, 2022.

The Departments are providing one year of credit monitoring and a dedicated phone line to provide assistance and further information about this incident. Individuals with a question about this incident can call 1-844-700-0330. The assistance line is available until January 23, 2023. Potentially affected individuals can also contact consumer reporting agencies to place a free fraud alert or security freeze on their accounts, or the Federal Trade Commission to learn more about fraud alerts, credit freezes, or other identity theft resources.

Contact information for consumer reporting agencies:

Experian

TransUnion

Contact information for the Federal Trade Commission:

Federal Trade Commission, 600 Pennsylvania Ave, NW, Washington, D.C. 20580, 1-877-382-4357 (Consumer Help Line)