The Employees Retirement System of Texas (ERS) reported on October 16, 2018, about a security incident that affected 1.25 million members.

ERS learned about the security incident on August 17, 2018.  There was a flaw in one of the search functions in ERS OnLine, which is a password-protected member portal.  Some, but not all, ERS members were able to see some other members’ or beneficiaries’ information.  This was due to a coding error.

The search function in question was the “Annual Out-of-Pocket Premium” that allowed members who pay their Texas Employees Group Benefits Program premiums with their post-tax money to see their own premium payment information.  These members can include retirees, direct-pay members, employees on leave without pay, and COBRA participants.

If a member went to this specific search function and modified the search, the member might have been able to see some information on other members.  This information included Social Security Numbers, ERS member-identification numbers, and the first and last names.  This was only viewable to members who logged in, used this specific feature, and made certain modifications to the search.  ERS did not specify what the modifications were.  Bank and credit-card information was not viewable with this search.  The information was available from January 1, 2018, to August 17, 2018.

After discovering the incident, ERS immediately shut down ERS OnLine and disabled the coding issue.  ERS then conducted a thorough investigation and came to the conclusion that it’s very unlikely that very much information was seen, let alone used for malicious means. Out of an abundance of caution, ERS is providing “identity restoration services” through Experian.  There will be no cost to the affected members and letters were sent to those members to notify them on how to enroll in this service.  This service will be available for 12 months, and members must enroll by the end of January next year.

ERS has now taken steps to help prevent this from happening again.  They reviewed ERS OnLine to ensure no other functions were affected, including a review of the code for similar functions.  ERS implemented controls on code design and code review, and they are continually reviewing automated and manual processes to further protect the members’ data.

If you have web applications like this, you may want to consider a web application penetration test in addition to your risk assessment.  Join HIPAAgps today to learn about other things you should do to round out your own risk assessment.