Breaking News
More () »

Personal information of 1.8 million Texans with Department of Insurance claims was exposed for years, audit says

The personal data was accessible to the public because of a glitch in the code of the department’s web application.
Credit: Callie Richmond for The Texas Tribune
The office of the Division of Workers’ Compensation and the Office of Injured Employee Counsel, both of which are housed at the Texas Department of Insurance.

The personal information of almost 2 million Texans who filed claims with the Texas Department of Insurance was exposed and publicly available for nearly three years, according to a state audit released last week.

The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.

TDI officials said the department was in the midst of a regularly scheduled data management audit when the department discovered the unauthorized disclosure and reported it to auditors. On March 24, after the state’s audit was completed, TDI posted a public notice acknowledging it became aware of the issue in January, the auditor’s office said.

RELATED: Yes, Cash App had a data breach. Here’s who’s impacted

The incident occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.

Texas Department of Insurance spokesperson Ben Gonzalez said the department temporarily disconnected the web application from the internet after identifying the unauthorized disclosure.

“We found the issue was due to programming code that allowed internet access to a protected area of the application,” Gonzalez said in a statement. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.”

Gonzalez said the department worked with a forensics company to investigate whether the leaked personal information had been misused. It did not find any evidence of malfeasance, he said.

Gonzalez said the people whose data was exposed work for several employers who have workers’ compensation insurance coverage. TDI has sent out letters to the affected individuals it has identified to notify them of the incident, he said.

RELATED: Information for over 6,000 Memorial Hermann patients accessed in security breach

He also said that TDI was already preparing to notify the public of the incident while the state audit was ongoing, and that “TDI’s responses to the data event were unrelated to the State Auditor’s report.”

The Texas Department of Insurance is a state agency that oversees the insurance industry in Texas and enforces state regulations. Employers who have workers’ compensation insurance coverage can file claims with the state’s Division of Workers’ Compensation, a part of TDI, when they are injured or become sick on the job.

The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was exposed.

This story comes from our KHOU 11 News partners at The Texas Tribune, a nonprofit, nonpartisan media organization that informs Texans - and engages with them - about public policy, politics, government, and statewide issues.

KHOU 11 on social media: Facebook | Twitter | Instagram | YouTube

Before You Leave, Check This Out