The Employees Retirement System of Texas (ERS) has discovered a problem with its ERS OnLine portal. When some people logged into the portal and performed certain actions they were able to view the data of other members.
According to ERS, a coding error was introduced on January 1, 2018 and impacted the “Annual Out-of-Pocket Premium” feature of the ERS OnLine system. Some retirees, personnel on leave without pay, direct-pay members, and COBRA participants use this feature. It makes it possible for those who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to view their premium payment details. However, the error caused the information of other members to be displayed.
ERS explained that the coding error only displayed the information of other members when someone performed a search using the flawed function. Since only a limited number of people would have used that function, it was deemed unlikely that the sensitive information of most members was exposed. In cases where ePHI was displayed, it was only shown to one user who was logged in. The information was never accessible to the public and hackers did not gain access to any data.
Individuals who have been affected by the breach would likely have had their first and last name, ERS member identification number (EmplID) and Social Security number disclosed.
ERS discovered the security issue on August 17, 2018 when a member alerted ERS because a modified search had resulted in the names, Social Security numbers and ERS ID numbers of 50 other members being displayed. ERS instantly took the ERS OnLine system offline to allow the coding error to be found and corrected. ERS brought the system back online shortly after but disabled the flawed search function.
ERS has conducted a full investigation to find out the scope of the breach and determine whether any other system functions were affected. That investigation confirmed that only the search function was affected by the coding error. To prevent the occurrence of similar errors in the future, stricter controls on code design and code reviews have been implemented.
All members whose information has been compromised have been sent a breach notification letter in the mail and have been enrolled in Experian’s identity restoration service for one year without charge.
ERS has notified the HHS’ Office for Civil Rights. The breach report shows as many as 1,248,263 people have potentially been affected by the data breach.