A tenth of those whose personal information was stolen from a government background investigation database still haven’t been formally notified that they were victimized, the Office of Personnel Management said Monday.

That might leave upwards of two million people still unaware that their personal identifying information including Social Security numbers—and much more personal information in some cases—was hacked more than a year ago.

That was the larger of the two cyber breaches of Office of Personnel Management databases disclosed last spring but that had occurred months before — and which triggered responses including an offer of free identity theft services in each case, which OPM is now expanding.

The background files breach involved records of some 21.5 million people on whom the government had performed those checks, mostly since 2000. They include federal, military and contractor personnel who were seeking new or renewed security clearances—which require them to disclose legal or financial troubles, for example—as well as persons checked merely to gain access to certain government facilities.

Because so many of those people never worked directly for the government, the notices were sent by mail, over the final months of last year.

The letters notify recipients that they are eligible for identity restoration services and insurance for costs related to identity theft. While those benefits are automatic, affected persons have to enroll to gain additional free identity monitoring and credit monitoring services.

“About 10 percent of the letters intended to reach those impacted by the background investigation incident were returned because people had moved, the letters were incorrectly addressed, or other factors,” OPM Acting Director Beth Cobert said in a message distributed Monday on an email list group.

“We have worked to get updated addresses for those whose letters were returned and we are now remailing letters to those who did not receive their original notification letter for the background investigation records incident,” she said. “The letter being mailed will clearly state at the top that it is a duplicate of the letter previously sent, but not successfully delivered.”

OPM also will post the letter at https://www.opm.gov/cybersecurity/ for those questioning whether it is legitimate. While OPM has said the acceptance rate for the services is high compared to similar offers made by private companies that have been hacked, some victims have been reluctant to enroll because it requires turning over personal information yet again.

Some of those not formally notified may have checked their status on that site or at 866-408-4555; those verified as affected are given an identification number to enroll for the monitoring services if they wish.

The other breach involved some 4.2 million federal employee personnel records, including identifying information, educational background, work histories and similar career information. As current or former federal employees, OPM had better contact information for them; they were notified last summer, mostly by email.

There was overlap between the two breaches — widely, but not officially, said to have originated in China — bringing the total affected to 22.1 million.

OPM recently said that only 6,800 problems like identity or credit theft have been reported out of that total, and that there’s no way to know whether the problems were directly related to those breaches or to others.

OPM carried out effective June 1 an increase in the identity theft insurance maximum from $1 million to $5 million as ordered by a late-2015 budget law, Cobert said in her message.

That law also required that the services be available for 10 years; the contract related to the personnel files breach applies only through this year, the other through 2018. Cobert said OPM is working on that extension and that it will “share additional information later this year.”

Aside from the identity services, OPM and other agencies have been working to better secure the databases and eventually move the background investigations database to the Defense Department’s control.

However, the independent inspector general’s office at OPM recently issued the latest in a series of audits critical of that project, concluding that there is “a very high risk that the project will fail to meet its stated objectives of delivering a more secure environment at a lower cost.”

It criticized agency management for not carrying out standard planning steps for such a project, including exploring all the options first and fully understanding the project’s scope, its cost and how it will be funded.