Personal information of 1.8 million Texans with Department of Insurance claims was exposed for years, audit says

By Jason Beeferman

The personal information of almost 2 million Texans who filed claims with the Texas Department of Insurance was exposed and publicly available for nearly three years, according to a state audit released last week.

The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers, and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.

TDI officials said the department was in the midst of a regularly scheduled data management audit when the department discovered the unauthorized disclosure and reported it to auditors. On March 24, after the state’s audit was completed, TDI posted a public notice acknowledging it became aware of the issue in January, the auditor’s office said.

The incident occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.

Texas Department of Insurance spokesperson Ben Gonzalez said the department temporarily disconnected the web application from the internet after identifying the unauthorized disclosure.

“We found the issue was due to programming code that allowed internet access to a protected area of the application,” Gonzalez said in a statement. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.”

Gonzalez said the department worked with a forensics company to investigate whether the leaked personal information had been misused. It did not find any evidence of malfeasance, he said.

Gonzalez said the people whose data was exposed work for several employers who have workers’ compensation insurance coverage. TDI has sent out letters to the affected individuals it has identified to notify them of the incident, he said.

He also said that TDI was already preparing to notify the public of the incident while the state audit was ongoing, and that “TDI’s responses to the data event were unrelated to the State Auditor’s report.”

The Texas Department of Insurance is a state agency that oversees the insurance industry in Texas and enforces state regulations. It is required by the Texas Legislature to collect data from employees who were injured or became sick on the job and filed a worker’s compensation claim through their insurance provider. The data is tracked for statistical purposes and helps the agency create new policies, said Joe McElrath, TDI’s deputy commissioner for business process.

Through its Division of Workers’ Compensation, TDI serves as an arbitrator whenever there’s a dispute between an employee, their employer, an insurance carrier, or any other party involved in a worker’s compensation claim.

The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was exposed.

To learn more about the event and steps people who were potentially affected can take to protect their information, see TDI’s webpage www.tdi.texas.gov/data-security-event.

This story was originally published by the Texas Tribune.