Data breach at Department of Insurance exposed personal information of 1.8 million Texans, audit says

The personal information of almost 2 million Texans who filed claims with the Texas Department of Insurance was exposed and publicly available for nearly three years, according to a state audit released last week.

The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.

TDI officials said the department was in the midst of a regularly scheduled data management audit when the department discovered the unauthorized disclosure and reported it to auditors. On March 24, after the state’s audit was completed, TDI posted a public notice acknowledging it became aware of the issue in January, the auditor’s office said.

The incident occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.

Texas Department of Insurance spokesperson Ben Gonzalez said the department temporarily disconnected the web application from the internet after identifying the unauthorized disclosure.

"We found the issue was due to programming code that allowed internet access to a protected area of the application," Gonzalez said in a statement. "We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue."

Gonzalez said the department worked with a forensics company to investigate whether the leaked personal information had been misused. It did not find any evidence of malfeasance, he said.

Gonzalez said the people whose data was exposed work for several employers who have workers’ compensation insurance coverage. TDI has sent out letters to the affected individuals it has identified to notify them of the incident, he said.

He also said that TDI was already preparing to notify the public of the incident while the state audit was ongoing, and that "TDI’s responses to the data event were unrelated to the State Auditor’s report."

The Texas Department of Insurance is a state agency that oversees the insurance industry in Texas and enforces state regulations. Employers who have workers’ compensation insurance coverage can file claims with the state’s Division of Workers’ Compensation, a part of TDI, when they are injured or become sick on the job.

The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was exposed.

More info at the Texas Tribune