The confidential personal data of 1.8 million Texans was exposed and available to the public for almost three years, according to a state audit report released last week. Information including names, Social Security numbers, addresses, phone numbers and dates of birth of Texans who filed workers' compensation claims with the Texas Department of Insurance was publicly available online from March 2019 until January 2022.
The unauthorized disclosure resulted from a glitch in the programming code of the department's web application that manages workers' compensation information, the department said.
TDI became aware of the problem on Jan. 4, took the application offline and fixed the issue, the department said in a public notice released in March. In January, TDI began working with a forensic company to investigate the full nature and scope of the incident and determine "whose information was or might have been viewed by people outside of TDI," the department said.
"The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI," the department said in an updated press release Tuesday. "To date, we are not aware of any misuse of the information."
In addition to reviewing policies, procedures and security efforts, TDI is offering 12 months of credit monitoring and identity protection services at no charge to affected individuals.
Despite increased awareness of data security issues, incidents like this demonstrate that data leaks and breaches are a problem that doesn't seem to be getting better. Last year, data breaches set a record high, and they're already up 14% in the first quarter of this year, compared with last year's levels. Millions of people are affected by major data breaches hitting high-profile companies seemingly every year.