As Many as 150K OPM Hack Victims Must Re-Enroll to Keep Protection Services

Mark Van Scyoc/Shutterstock.com

OPM is switching benefit providers after initial contract expires.

Editors note: OPM initially said up to 600,000 individuals whose personal data was compromised would have to re-enroll in identity protection services, but the agency on Nov. 4 said further review found that only  100,000 to 150,000 had signed up for protection services and would need to re-enroll to continue receiving those services. All 600,000 will receive letters explaining how to either re-enroll in services, or sign up if they haven’t yet done so. The story and headline have been updated.

Some federal employees whose personal information was exposed in the breach of data maintained by the Office of Personnel Management will have to re-enroll to continue receiving credit monitoring and identity protection services, the agency announced Monday.

Of the 600,000 former and current federal workers impacted by the initial OPM hack involving personnel records, as many as 150,000 (those who signed up for protection services) will need to re-enroll to continue to receive those services past Dec. 1.   

The 18-month contract OPM originally awarded to Winvale/CSID is set to expire on that date, at which point ID Experts will take over as the benefits provider. ID Experts is currently providing services for the second OPM breach that exposed the background investigations data of 21.5 million current and former federal employees, job applicants and family members.

OPM has determined 600,000 individuals of the 4.2 million involved in the personnel records hack were solely affected by that initial breach and not the background investigations breach. Because the other 3.6 million victims were already notified their information was exposed in the second hack and offered services through ID Experts, they will not receive notifications from OPM of the provider switch.

They are, however, eligible to enroll in protection services from ID Experts at any point through the expiration of that contract, which will occur Dec. 31, 2018. Notifications were sent to victims of the background check hack last fall and winter. Individuals who already received ID Experts enrollment information but have not yet signed up can use the materials already sent to them to do so or go to OPM’s website to request a duplicate letter.

Individuals who signed up for services through Winvale, whether or not they also signed up for services through ID Experts, may receive a notification from Winvale letting them know the benefits they had been receiving from the company are expiring, a senior OPM official said.

The official added OPM is requiring the re-enrollment for those who currently exclusively receive benefits from Winvale out of concern over people’s security. The services they are receiving will not change, so long as they re-enroll. Hack victims who already signed up for protection services from ID Experts will not see any change in service and do not need to take any further action.

The change became necessary after Congress decided last year to require OPM to provide 10 years of credit monitoring and identity theft protection to hack victims. OPM had given 18 months of services to the original hack population and three years to the second, larger population. 

Both ID Experts contracts are now set to expire at the end of 2018, at which point OPM will reassess commercial options and award a new contract. The official said this timing would enable OPM to “pursue a better procurement strategy.”

ID Experts is a pre-approved vendor on the General Services Administration’s blanket purchase agreement for federal agencies offering identity protection following hacks, while Winvale is not. Both the process by which Winvale received the original contract, and its performance in providing customer service, came under fire in the months following the announcement.

The OPM official, made available to reporters Monday by the agency, was unaware of the value of the new contract or whether it was competitively bid.

Of the 4.2 million former and current employees in the original hack, 1.1 million enrolled in protection services; of the 21.5 million victims of the second hack, 2.6 million enrolled.