Personal information of 1.8 million Texans with Department of Insurance claims was exposed for years, audit says

Texas Department of Insurance Commissioner Cassie Brown. (Texas Department Of Insurance Website, Texas Department Of Insurance Website)

Sign up for The Brief, our daily newsletter that keeps readers up to speed on the most essential Texas news.

The personal information of almost 2 million Texans who filed claims with the Texas Department of Insurance was exposed and publicly available for nearly three years, according to a state audit released last week.

The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.

TDI officials said the department was in the midst of a regularly scheduled data management audit when the department discovered the unauthorized disclosure and reported it to auditors. On March 24, after the state’s audit was completed, TDI posted a public notice acknowledging it became aware of the issue in January, the auditor’s office said.

The incident occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.

Texas Department of Insurance spokesperson Ben Gonzalez said the department temporarily disconnected the web application from the internet after identifying the unauthorized disclosure.

“We found the issue was due to programming code that allowed internet access to a protected area of the application,” Gonzalez said in a statement. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.”

Gonzalez said the department worked with a forensics company to investigate whether the leaked personal information had been misused. It did not find any evidence of malfeasance, he said.

Gonzalez said the people whose data was exposed work for several employers who have workers’ compensation insurance coverage. TDI has sent out letters to the affected individuals it has identified to notify them of the incident, he said.

He also said that TDI was already preparing to notify the public of the incident while the state audit was ongoing, and that “TDI’s responses to the data event were unrelated to the State Auditor’s report.”

The Texas Department of Insurance is a state agency that oversees the insurance industry in Texas and enforces state regulations. It is required by the Texas Legislature to collect data from employees who were injured or became sick on the job and filed a worker’s compensation claim through their insurance provider. The data is tracked for statistical purposes and helps the agency create new policies, said Joe McElrath, TDI’s deputy commissioner for business process.

Through its Division of Workers’ Compensation, TDI serves as an arbitrator whenever there’s a dispute between an employee, their employer, an insurance carrier or any other party involved in a worker’s compensation claim.

The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was exposed.


Tickets are on sale now for the 2022 Texas Tribune Festival, happening in downtown Austin on Sept. 22-24. Get your TribFest tickets by May 31 and save big!

Correction, May 17, 2022: A previous version of this story incorrectly stated that employers who have worker’s compensation insurance coverage can file claims with a unit within the Texas Department of Insurance. The agency provided the erroneous information to the Tribune but later said it does not process workers’ compensation claims; it serves as an arbitrator whenever there’s a dispute between the parties involved in a claim filed in Texas.