A recent audit of the Texas Department of Insurance (TDI) uncovered that the personal information of almost two million workers’ compensation claimants was exposed for anyone to see on the internet.
TDI first broke the news of the potential privacy breach in a release issued March 24, 2022. In that release, the regulator said that it first became aware of the security issue on January 04, 2022, when it was undergoing a state audit – it found that there was a security issue with a TDI web application which manages workers’ comp information. TDI said it immediately took down the application and fixed the issue, and that it launched an investigation into the matter.
“We found the issue was due to programming code that allowed internet access to a protected area of the application,” said TDI spokesperson Ben Gonzales in a statement to The Texas Tribune. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.”
It was found that the personal information of 1.8 million Texans who have filed workers’ comp claims with TDI was exposed – in particular, those who filed a claim between March 2019 and January 2022. Information including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries was accessible through the application’s coding loophole.
Gonzales said that TDI worked with a forensics company to investigate whether the leak had led to identity theft and abuse; no evidence of malfeasance has been found, to date. The spokesperson also said that TDI was already planning to notify the public of the leak while the state audit was ongoing, and that the regulator’s responses to the data event “were unrelated to the State Auditor’s report.”
TDI will send letters to individuals whose data may have been compromised by the leak. The letters also include instructions on how they can enroll for free credit monitoring. The regulator added that those who do not get a letter but have had a workers’ comp claim since 2006 may also qualify for credit monitoring.
