The personal information of nearly two million Texans was exposed for nearly three years due to a programming issue at the Texas Department of Insurance (TDI).
The department revealed that details of 1.8 million workers who have filed compensation claims were publicly available online from March 2019 to January 2022 in a state audit report published last week. This included Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries.
In a public notice on March 24, the TDI said it first became aware of a security issue with a TDI web application that manages workers’ compensation information on January 4 2022. This issue enabled members of the public to access a protected part of the online application.
The TDI, a state agency that oversees the insurance industry in Texas and enforces state regulations, immediately took the application offline, quickly fixed the issue and began an investigation into the nature and scope of the event with a forensics company. It then issued letters to individuals who submitted a new workers’ compensation claim between March 2019 and January 2022 to inform them they may
The recently published state audit revealed 1.8 million workers were impacted by the leak.
In an updated press release published on Tuesday May 17, TDI said the investigation did not find any evidence workers’ personal information had been misused. “In January 2022, TDI began an investigation to determine the full nature and scope of the issue, which included working with a forensic company and working to find out whose information was or might have been viewed by people outside of TDI. To date, we are not aware of any misuse of the information,” it stated.
The department added that it is offering 12 months of credit monitoring and identity protection services at no cost to those who may have been affected.
Commenting on the story, Neil Jones, director of cybersecurity evangelism, Egnyte, warned: “The recent data breach at the TDI is especially concerning because worker’s compensation data inherently includes PII (Personally Identifiable Information) and PHI (Protected Health Information), which are potential treasure troves for cyber-attackers. Although there’s no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right time to post their breached data to the Dark Web.”
Last year, lawmakers in Texas passed a bill requiring notices to be published online of any data breaches involving the personal information of 250 or more Lone Star State residents.