Many current and former federal employees who signed up for identity protection services after the cyber theft of their personal information soon will have to re-enroll to keep that coverage, administration officials said Monday.
A contract for those services expiring Dec. 1 will be replaced immediately by another but with a different company, Office of Personnel Management officials said.
The expiring contract, with Winvale/CSID, was issued in mid-2015 after OPM revealed that names, addresses, Social Security numbers, career histories and other information on some 4.2 million current and former federal employees had been stolen from a central personnel records database. The contract provided for automatic no-cost access to identity restoration services and insurance to cover costs of restoring a stolen identity. However, victims had to separately enroll for other free services including credit and identity monitoring.
Soon after, OPM revealed a much larger theft — also widely, although not officially, attributed as having links to China — affecting some 21.5 million people on whom the government did background investigations. That included federal, military and contractor personnel who applied for new or renewed security clearances — requiring them to provide highly personal life information — and also persons who had such checks performed for other reasons, such as to gain access to certain government facilities. OPM then issued a similar but longer contract, to ID Experts, related to that breach.
About 1.1 million people have signed up for additional monitoring services related to the personnel files breach and about 2.6 million enrolled for such services related to the background files breach, officials said.
There was some overlap between the two breaches: About 3.6 million of the 4.2 million current and former federal employees victimized by the personnel records hack also were hit by the background records breach.
It’s the 600,000 affected only by the personnel records breach who are affected by expiration of the Winvale/CSID contract, since the remainder continue to be covered under the background records-related contract with ID Experts, officials said. They don’t have a figure on how many of that 600,000 enrolled for the additional services with Winvale/CSID.
As of Dec. 2, ID Experts will take over services related to the personnel records breach under a separate contract. Impacted individuals still will be automatically covered by identity restoration and identity theft insurance. But those who enrolled with Winvale/CSID to receive the additional monitoring services must re-enroll with ID Experts to continue.
Officials said those who need to re-enroll should soon be receiving mailed notices including personal identification numbers to use. The notices also will effectively remind those who did not enroll that they are eligible and still can sign up.
OPM also is sending notices to agencies to provide to their employees and has posted information on the transition. That site has information for those uncertain which company they enrolled with or who may want to initially enroll now — including those who lost an identification number sent to them earlier.
Those already enrolled with ID Experts due to the background records breach will not have to take any action.
The new contract related to the personnel files hack will extend through the end of 2018, when ID Experts’ contract related to the background files breach also will expire.
A late-2015 change in law required keeping the protections in place for 10 years. Officials said no decision has been made on an end date or whether the time remaining after 2018 will be covered by one or more contracts. That law also boosted the identity theft insurance maximum from $1 to $5 million, an increase that took effect in June of this year.
Also in June, OPM sent a second round of letters related to the background investigations breach after making additional efforts to locate the victims; about a tenth of the original letters were undeliverable.