Personal Data of 1.8M Texans Exposed for Years by Texas Department of Insurance

A state audit finds the data was publicly available for almost three years and included names, dates of birth and Social Security numbers.

Attila Tomaschek
Attila is a Staff Writer for CNET, covering software, apps and services with a focus on virtual private networks. He is an advocate for digital privacy and has been quoted in online publications like Computer Weekly, The Guardian, BBC News, HuffPost, Wired and TechRepublic. When not tapping away on his laptop, Attila enjoys spending time with his family, reading and collecting guitars.
Expertise Attila has nearly a decade's worth of experience with VPNs and has been covering them for CNET since 2021. As CNET's VPN expert, Attila rigorously tests VPNs and offers readers advice on how they can use the technology to protect their privacy online.
Attila Tomaschek
2 min read
Unlocked padlock on a phone screen on top of a laptop keyboard.

Nearly 2 million Texans were affected by the unauthorized disclosure.

Angela Lang/CNET

The confidential personal data of 1.8 million Texans was exposed and available to the public for almost three years, according to a state audit report released last week. Information including names, Social Security numbers, addresses, phone numbers and dates of birth of Texans who filed workers' compensation claims with the Texas Department of Insurance was publicly available online from March 2019 until January 2022.

The unauthorized disclosure resulted from a glitch in the programming code of the department's web application that manages workers' compensation information, the department said. 

TDI became aware of the problem on Jan. 4, took the application offline and fixed the issue, the department said in a public notice released in March. In January, TDI began working with a forensic company to investigate the full nature and scope of the incident and determine "whose information was or might have been viewed by people outside of TDI," the department said.

"The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI," the department said in an updated press release Tuesday. "To date, we are not aware of any misuse of the information."

In addition to reviewing policies, procedures and security efforts, TDI is offering 12 months of credit monitoring and identity protection services at no charge to affected individuals. 

Despite increased awareness of data security issues, incidents like this demonstrate that data leaks and breaches are a problem that doesn't seem to be getting better. Last year, data breaches set a record high, and they're already up 14% in the first quarter of this year, compared with last year's levels. Millions of people are affected by major data breaches hitting high-profile companies seemingly every year.