There is a flaw in the Employees Retirement System of Texas (ERS) OnLine portal. It was discovered when a number of people entered the portal and saw the information of other ERS members.
ERS explained that the coding error first came about on January 1, 2018, which affected the ERS OnLine system’s “Annual Out-of-Pocket Premium” feature. This feature is being used by retirees, COBRA participants, personnel on leave without pay and direct-pay members. Members who pay for their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars can look at their premium payment information thanks to this feature. Now, because of the error, ERS members do not just see their own information but also the information of other ERS members. In a number of instances, the information of beneficiaries who got payment from ERS and entered data in the ERS OnLine system were also exposed.
ERS noted that the system showed the data of other members to a person only if that person performed a modified search and made use of the flawed function. That said, it is quite unlikely that a lot of members viewed the information of other members. Moreover, only logged in members can see the flawed function into action, so only a minimal number of individuals have seen it. Consequently, the extent of the breach was restricted. The public could not access information and the system was not hacked at all.
The PHI possibly exposed because of the flawed feature only included the members’ first and last names, their ERS member identification numbers (EmplIDs) and Social Security numbers.
ERS became aware of the security breach on August 17, 2018. An member alerted the ERS admin when he/she saw the names, Social Security numbers and ERS ID numbers of 50 other members upon doing a modified search. ERS immediately discontinued access to the ERS OnLine system to find and fix the problem. The ERS system was back online in no time but the flawed search function was disabled.
ERS notified by mail right away the members whose information were exposed. As a safety precaution, they also received free one year identity restoration services by Experian.
Third-party experts helped ERS perform a comprehensive investigation of the issue and discover if there were other system functions affected. ERS explained that there was only one flawed function. To avert the incidence of the same errors, ERS imposed stricter controls and reviews of code designs.
The security breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights. There were about 1,248,263 individuals whose personal data were potentially exposed.