10 years after OPM data breach, identity protection benefits for affected feds start to expire
Those who signed up for the MyIDCare program OPM established 10 years ago are receiving emails on a rolling basis informing them their services will expire 10 years to the day of their enrollment. The notices began going out to enrollees late last year and will continue through September, the end of the current fiscal year.
“This is to notify you that the credit monitoring and identity theft insurance coverage you were provided by the Federal government has a 10-year term, which ends on [10 years after enrollment date],” reads an April email viewed by Government Executive from MyIDCare, the OPM-backed service that offered credit monitoring, dark web scanning, insurance and recovery services to those impacted in the breach. The emails are now being sent to breach victims who enrolled in the services.
“This service was provided following the 2015 OPM cybersecurity incidents and has helped safeguard your identity. OPM provided identity and credit monitoring through MylDCare, powered by IDX, in accordance with the Consolidated Appropriations Act of 2017 for a period of 10 years from 2015 - 2025,” it adds. The email gives users the ability to continue coverage, and links to a URL where they can explore options.
The hack was discovered in 2015, but the intrusions, which were overwhelmingly assessed to have been linked to China, began at least a year prior. OPM disclosed two data breaches in 2015: one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families. More than 22.1 million people were impacted by the breaches.
Shortly after the hack was discovered, OPM offered three years and up to $1 million worth of protection services. Congress subsequently required the agency to expand the program to cover 10 years and up to $5 million.
OPM signed two contracts with ID Experts — now IDX — to provide the services, the first worth $340 million and the second worth up to $416 million.
Funding for services officially ended at the end of September, when the federal fiscal year calendar resets.
An OPM spokesperson said the agency looked into extending the program but decided it was too expensive.
“OPM evaluated extending the contract and determined it would not be a responsible use of taxpayer resources, given the high cost of the program and the very low level of claims in recent years,” an agency spokesperson said. “OPM remains committed to protecting sensitive data through robust cybersecurity, privacy, and risk management programs, with continuous monitoring to safeguard personnel information.”
The Government Accountability Office has criticized OPM for overpaying for the services, saying the level of coverage is “likely unnecessary” and may be distorting the identity theft insurance market.
Plaintiffs in a class action lawsuit reached a settlement in 2022 with the government that made $63 million available for those who could demonstrate financial hardship as a result of the breach. A federal judge closed out the case in 2024 after OPM and the Treasury Department doled out just $4.8 million to just more than 5,000 individuals. The remaining $58.2 million was returned to the U.S. Treasury.
One former federal contractor affected in the breach, who requested anonymity to speak candidly, reflected that personally identifying information exposed in the hack used to be viewed as the “most detrimental thing to all of us.”
Today, that’s no longer the case. “Our information continues to be pilfered time and time again,” the former contractor added. “It’s just fascinating how far we’ve come from caring about security and wanting to take the right measures to treating it like an afterthought.”
The end-of-services notifications caught some recipients by surprise. IDX has since peppered recipients with marketing emails imploring them to re-enroll in the service at their own expense, offering 50% off discounts and warning “you’re unprotected” in subject lines.
“It’s disturbing given that the government’s negligence caused people’s personal information to be stolen, and China still has that information,” said one former federal employee who received the termination notice.
One current senior federal agency official affected in the breach told Government Executive that 10 years is sufficient for coverage. “I can understand why they cut it off. It costs money to do that,” the senior official said.
The official added: “I think it’s incumbent on people themselves to protect their credit in their reporting and make sure they keep tabs on it. You can’t expect the government to continue to do that.” They said they would consider enrolling in the plan offered by IDX to continue coverage.
Some lawmakers have continued to push for lifetime coverage for those impacted by the breach, though legislative efforts have failed to advance. Sen. Mark Warner, D-Va. in a letter to OPM last year highlighted the ongoing threats that breach victims still face.
“The federal workforce was dangerously exposed by the 2015 OPM breach, and millions of impacted individuals will continue to be at risk because of the breach, likely for the remainder of their lives,” Warner said. “Current and former public servants should not be abandoned to bear the risks of the federal government’s failure to protect their sensitive information.”
]]>