TX: Statement and Frequently Asked Questions about the 2018 ERS OnLine Security Incident
From the Employees Retirement System of Texas, this breach information notice. Note that this was reported to HHS with ERS listed as a health plan, and the breach was reported as affecting 1,248,263 members, but also note that no medical or health information was reportedly involved.
On August 17, 2018, the Employees Retirement System of Texas (ERS) learned about a security issue in our password-protected portal called ERS OnLine. A now-corrected security flaw allowed certain ERS members who logged in with their username and password, and used a specific function to input search criteria, to view some member information that was not theirs. More information about this issue is provided below. We apologize for any inconvenience or distress it might have caused anyone and deeply regret that it happened. ERS works extremely hard to protect all the information entrusted to us and will continue to do so.
1. What happened?
A flaw in a specific search function in ERS OnLine, a password-protected online member portal, allowed some, but not all, ERS members to see some other members’ or certain beneficiaries’ information. (Only beneficiaries who have gotten some type of payment from ERS have information in ERS OnLine.) Based on our thorough investigation of the incident, it is very unlikely that most members’ information was accessed, and we have no reason to believe that any information was used for fraudulent purposes.
2. How did it happen?
A coding issue in a specific function in ERS OnLine caused an error in the “Annual Out-of-Pocket Premium” function starting January 1, 2018. That function allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information. This includes the following participants: some retirees, direct-pay members, employees on leave without pay and COBRA participants.
3. Was this done by a hacker?
No. This was not a hack, and was not committed by a hacker.
4. What information were they able to see?
If a member went to the specific function and modified the search, they might have been able to see the first and last names, Social Security numbers, and ERS member identification numbers (known as EmplIDs) for a limited group of members.
5. How could members get access to information that was not their own?
Access required a member to log in to the ERS OnLine member portal with their username and password and then go to the specific function and modify the search. The member portal is available only to ERS members, and the specific function was available only to certain members, not all members.
6. How do I know if someone saw my information?
Based on our thorough investigation, it is very unlikely that most members’ or beneficiaries’ information was seen, and we have no reason to believe that any information was used or will be used for fraudulent purposes. We are making people aware of the issue because there’s a slight possibility some ERS members might have seen their fellow members’ information, and because we take your privacy and data security very seriously.
7. Should I close my bank account?
Bank account information could not have been seen from the flawed search function.
8. Should I close my credit card accounts?
There is no information about your credit cards in ERS OnLine.
9. Was anyone able to see my health insurance claims or any information about my health conditions?
No. That information is not kept in ERS OnLine.
10. Why is my information available in ERS OnLine?
ERS needs this information to administer your benefits.
11. What do I do if my identity is stolen?
Based on our thorough research, it’s very unlikely most members’ and beneficiaries’ information was seen as a result of this issue. We have no reason to believe that any information was used for fraudulent purposes. But because we take privacy and data security very seriously, ERS is providing identity restoration services through Experian to members and beneficiaries who might have been affected, at no cost to them. Starting on October 13, 2018, ERS has mailed detailed letters to those members and beneficiaries. The letter includes information about Experian’s services and how to enroll in them. You can find more information at www.ExperianIDWorks.com/credit or contact an Experian agent, toll-free, at (877) 736-2221. The services are available through October 13, 2019, but eligible individuals must enroll by January 31, 2019.
12. How long was the information public?
The information was never public at any time. Access required an ERS member to log in to ERS OnLine with their username and password, and then go to the specific search function. The member portal is available only to ERS members and the specific search function was available only to some, not all, members.
13. How long was the function not working properly?
The function was available in error from January 1, 2018 to August 17, 2018.
14. When did you find out about the issue?
ERS learned of the issue on August 17, 2018.
15. How did you find out about the issue?
A concerned ERS member reported to us that, while performing a specific search for his own information, he was able to see the first and last names, Social Security numbers and ERS EmplIDs for 50 other ERS members. We have notified those 50 members that their information was seen by a fellow ERS member.
16. What did you do when you found out about the issue?
ERS immediately shut down ERS OnLine and disabled the flawed search function. ERS OnLine was brought back online quickly, but the flawed search function is no longer available. ERS performed an extensive analysis to identify the cause of the problem, correct it and take steps to prevent it in the future.
17. If ERS knew about the issue on August 17, why didn’t you notify people sooner?
As soon as we learned about the flaw in the search function, we immediately shut down ERS OnLine and disabled the flawed search function. Then, working with outside experts, we thoroughly investigated the problem and then began notification.
18. What are you doing to prevent this from happening again?
ERS has taken and continues to take steps to prevent this from happening in the future. Specifically, we:
- reviewed ERS OnLine to ensure no other functions were affected,
- implemented controls on code design and code reviews intended to prevent this type of error,
- thoroughly reviewed the coding for similar functions and did not find any other occurrences of this issue, and
- are continually reviewing our manual and automated processes to further improve protection of members’ data.
19. How is ERS going to pay for identity protection services for members and beneficiaries who need to use them?
The services will be paid for out of ERS’ administrative funds. The expense will have no impact on the benefits we administer for members and their families.
20. Was the information password-protected or encrypted?
Yes. Members can access their own information only by logging in to ERS OnLine with a username and password. ERS gives password-protected access only to ERS members. If you’re not a member of ERS, you cannot get into the online member portal.
21. Has anyone been adversely affected as a result of this incident?
We have not heard about anyone being adversely affected and have no reason to believe the information has been or will be used for fraudulent purposes.
22. I think my information is in ERS OnLine, but I didn’t get a letter. What do I need to know?
You can see a copy of the letter here. If you can’t access it, please call (877) 736-2221, toll-free.
23. The letter says ERS enrolled me in Experian’s services. If I’m already enrolled, why do I have to call them with my information and the activation code?
There are two types of services. ERS enrolled you in Experian’s identity restoration services, which you can take advantage of if you think there was fraudulent use of your information as a result of this incident. In addition, you have the choice to enroll in another level of fraud protection called Experian IdentityWorks, which includes credit monitoring. The activation code and other information is required only if you choose to enroll in Experian IdentityWorks. You can find more information about what services are included in the IdentityWorks program on the back of the first page of your letter from ERS, under the heading “ADDITIONAL DETAILS ABOUT YOUR 12-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP.” If you still have questions, the Experian Customer Care team can provide details about the differences between the two services. Call them, toll-free, at (877) 736-2221.
24. I don’t have an account with ERS. Why did I get a letter?
ERS sent letters to everyone whose information is in ERS’ online member portal as a member or a payee. That includes current and former ERS members, alternate payees under Qualified Domestic Relations Orders (QDROs), beneficiaries of deceased ERS members and the estates of deceased ERS members. If you are or were an ERS member, or got at least one payment from ERS as an alternate payee or beneficiary of an ERS member, your information is in our ERS online member portal.
25. I got a letter for a deceased person. Why?
If you got a letter addressed to the estate of a deceased person, ERS sent that because the decedent was a member of ERS and still has information in ERS’ records, including in ERS OnLine. Because of this, there is a possibility a fellow ERS member might have seen the decedent’s information. We take everyone’s data security very seriously and notified the family or beneficiaries.
If you got a letter addressed directly to the decedent, it is because we were unaware that he or she passed away. We hope you can call us when you have a few minutes, so we can update our records.
26. I got more than one letter about this issue. Why?
ERS sent letters to everyone whose information is in ERS OnLine. That includes current and former ERS members, the beneficiaries of deceased ERS members and the estates of deceased ERS members. If you are an ERS member yourself, or were at one time, and are also a beneficiary or manage the estate of a deceased ERS member, you got one letter as a current or former member and one letter as a beneficiary or manager of the estate of the deceased member.
27. What can I do to protect my identity after an incident like this?
ERS members and beneficiaries who might have been affected have been enrolled in Experian’s identity restoration services, at no cost to themselves. They may also enroll in Experian’s credit monitoring services, also at no cost to themselves. The services are available through October 13, 2019, but eligible individuals must enroll by January 31, 2019. You can find more information at www.ExperianIDWorks.com/credit or contact an Experian agent, toll-free, at (877) 736-2221.
ERS also recommends following usual good practices to protect your identity, including regularly reviewing account statements, periodically obtaining copies of credit reports from one or more of the national credit reporting agencies and reporting any suspicious activity to law enforcement.
In addition, Experian offers the following helpful Information about identity theft protection:
“We recommend that you regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.
Equifax, P.O. Box105139, Atlanta, Georgia 30374-0241, 1-800-685-1111, www.equifax.com
Experian, P.O. Box 2002, Allen, TX 75013, 1-888-397-3742, www.experian.com
TransUnion, P.O. Box 6790, Fullerton, CA 92834-6790, 1-800-916-8800, www.transunion.com
“When you receive your credit reports, review them carefully. Look for accounts or creditor inquiries that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.
“We recommend you remain vigilant with respect to reviewing your account statements and credit reports, and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the Federal Trade Commission (“FTC”). You may contact the FTC or your state’s regulatory authority to obtain additional information about avoiding identity theft.
- Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft
“You may want to order copies of your credit reports and check for any medical bills that you do not recognize. If you find anything suspicious, call the credit reporting agency at the phone number on the report. Keep a copy of this notice for your records in case of future problems with your medical records. You may also want to request a copy of your medical records from your provider, to serve as a baseline.
“Fraud Alerts: There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three national credit reporting agencies listed below.
“Credit Freezes: You may have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. In addition, you may incur fees to place, lift and/or remove a credit freeze. Credit freeze laws vary from state to state. The cost of placing, temporarily lifting, and removing a credit freeze also varies by state, generally $5 to $20 per action at each credit reporting company. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information.
“You can obtain more information about fraud alerts and credit freezes by contacting the FTC or one of the national credit reporting agencies listed above.”