Share this article on:
The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal allowed certain individuals to view information of other members after logging into the portal.
ERS explained that a coding error, introduced on January 1, 2018, affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine system. The function is used by some retirees, direct-pay members, employees on leave without pay and COBRA participants. The function “allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information.” However, the flaw meant that certain ERS members were displayed information about other members and in some cases, certain beneficiaries – if those beneficiaries had received some form of payment from ERS and had information in the ERS OnLine system.
ERS notes that the coding error only returned other members’ information when individuals performed a modified search via the affected function and therefore it is “very unlikely” than most members information was accessed by other members. Since the function could only be used after logging in, and was only available to a limited group of individuals, the breach was limited in scale. Information was not exposed to the public at any point and its system was not hacked.
As a result of the error, the following information could potentially have been disclosed to other individuals: First and last names, Social Security numbers, and ERS member identification numbers (EmplIDs).
The security issue was discovered by ERS on August 17, 2018 when an ERS member raised the alert after a modified search returned the names, ERS ID numbers, and Social Security numbers of 50 other members. ERS immediately shut down the ERS OnLine system while the flaw was identified and corrected. The system was brought back online rapidly with the flawed search function disabled. ERS notes that the 50 members whose information was accessed were notified promptly.
ERS conducted a thorough investigation of the issue to determine if any other functions were affected, with assistance provided by third-party experts. ERS reports that the flaw was limited to the single function. Further controls on code design and code reviews have now been implemented to prevent any similar errors from resulting in the exposure of sensitive information in the future.
All affected members have been notified by mail and have been automatically enrolled in identity restoration services through Experian, which will be provided for one year without charge.
The security incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates up to 1,248,263 individuals have potentially been affected by the breach.