Medical identity theft and tax refund fraud are also not always specifically addressed in identity theft services, GAO explained.
With regard to the two Office of Personnel Management (OPM) data breaches from 2015, GAO stated that the level of insurance coverage provided was “likely unnecessary because claims paid rarely exceed a few thousand dollars.”
OPM announced on June 4, 2015 that it had been the victim of a cyber attack. The agency then reported one month later that a significantly greater number of individuals were affected by a “separate but related” cybersecurity breach.
Approximately 21.5 million individuals were affected, with some of the compromised information including “identification details such as Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal acquaintances, health, criminal and financial history.”
“Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization,” Acting Director of the Office of Personnel Management Beth Cobert said in a statement. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”
GAO stated in its report that OPM provided duplicative identity theft services for about 3.6 million people affected by both of its 2015 breaches.
“Contrary to key operational practices previously identified by GAO, OPM’s data-breach-response policy does not include criteria or procedures for determining when to offer identity theft services, and OPM has not always documented how it chose to offer them in response to past breaches, which could hinder informed decision making in the future,” GAO wrote.
“In the private sector, companies often offer consumers affected by a data breach complimentary identity theft services for reasons other than mitigating the risk of identity theft, such as avoiding liability or complying with state law.”
Identity theft services typically include one or more areas of assistance, such as credit monitoring, identity monitoring, and identity restoration, GAO explained. Medical identity theft, identity theft refund fraud, and certain other threats involving stolen personal information are generally not included.
“Evaluation and analysis of these services by both federal and private-sector entities is limited and tends to focus on outputs (such as contractor performance) rather than outcomes (such as reduction of harm from identity theft),” the report noted.
Out of the 26 identity theft services that GAO reviewed, the agency stated that only one “expressly addressed” medical identity theft.
“That product works with the explanation-of-benefits delivery system of the user’s health insurer to alert the user every time a claim is made against the user’s health plan benefits,” the report said. “Users can flag a claim as suspicious if, for example, they do not recognize the procedure or health care provider, and the company then will investigate the claim.”
Additionally, the service is offered as a benefit by health insurers to their members instead of offered directly to consumers.
OPM did not provide many details to GAO in what type of services it offered following the 2015 breaches.
“The current officials told us that they could not find any formal documentation related to the decision to offer identity theft services or the process leading up to this decision,” GAO wrote. “The agency was able to identify a document comparing past public- and private-sector entities’ responses to breaches that may have been considered when determining which services OPM should offer after the second data breach (of background investigation records).”
OPM has previously been investigated for its large data breaches, with reports finding that certain preventative measures could have helped to potentially prevent the incidents.
Toward the end of 2016, an OIG report found that a failure to prioritize cybersecurity and adequately secure high value data helped contribute to the data breaches taking place.
Additionally, the OPM Inspector General (IG) warned the agency as early as 2005 that the information it maintained was potentially vulnerable to hackers.
OPM had an “absence of an effective managerial structure to implement reliable IT security policies,” and also “failed to implement the Office of Management and Budget’s (OMB) longstanding requirement to use multi-factor authentication for employees and contractors who log on to the network.”