Data breach at Department of Insurance exposed personal information of 1.8 million Texans
The personal data was accessible to the public for nearly three years because of a glitch in the code of the department’s web application.
A massive security breach at the Texas Department of Insurance leaked the personal information of almost 2 million Texans for nearly three years, according to a state audit released last week.
The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.
The department did not publicly acknowledge the security issue until the state auditor’s office conducted a review in March, the auditor’s office said. On March 24, the Department of Insurance sent out a notice acknowledging it became aware of the issue in January.
The breach occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.
Texas Department of Insurance spokesperson Ben Gonzalez said the department temporarily disconnected the web application from the internet after identifying the breach.
“We found the issue was due to programming code that allowed internet access to a protected area of the application,” Gonzalez said in a statement. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.”
Gonzalez said the department worked with a forensics company to investigate whether the leaked personal information had been misused. It did not find any evidence of malfeasance, he said.
Gonzalez said the victims of the breach work for several employers who have workers’ compensation insurance coverage and that letters were sent out to the affected individuals TDI has identified to notify them of the incident.
He also said that TDI was already preparing to notify the public of the security breach while the state audit was ongoing, and that “TDI’s responses to the data event were unrelated to the State Auditor’s report.”
The Texas Department of Insurance is a state agency that oversees the insurance industry in Texas and enforces state regulations. Employers who have workers’ compensation insurance coverage can file claims with the state’s Division of Workers’ Compensation, a part of TDI, when they are injured or become sick on the job.
The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was breached.