Fewer OPM Hack Victims Must Re-Enroll in Protection Services Than Originally Estimated

The Office of Personnel Management has issued a significant revision on the number of hack victims who will have to re-enroll to continue receiving credit monitoring and protection services, lowering estimates from 600,000 to between 100,000-150,000.

Sam Schumach, an OPM spokesman, said the numbers have changed “given some additional context.” Only up to 150,000 former and current federal employees whose information was exposed in a breach of OPM’s personnel records must re-enroll to continue receiving services as the agency switches from one private provider to another. The 600,000 figure represents the number of hack victims who were impacted only by the personnel records breach and not the second background investigations breach, which affected 21.5 million federal employees, retirees, job applicants and family members.

All 600,000 individuals will receive a notification of the service provider change and the need to either re-enroll, if they had already done so, or to enroll for the first time to receive the protection services.

The update comes as House lawmakers are questioning OPM on its efforts to smoothly move hack victims from one provider of credit monitoring and other services to another and seeking reassurance the process will not negatively impact employees and retirees.

OPM recently announced it had hired a new contractor to provide protection services to the 4.2 former and current federal employees whose personal information was exposed in a 2014 breach of personnel records. The initial contract with Winvale/CSID was set to expire after 18 months, but Congress has since required OPM to provide the services for 10 years. OPM has hired ID Experts, the same company currently providing services to victims of a second hack of OPM background investigations data, to offer protections starting December 1.

Up to 150,000 hack victims will have to re-enroll with ID Experts to continue receiving credit monitoring, OPM said, as that population was only affected by the initial hack and was therefore never offered protection under the second ID Experts contract. An additional 450,000 to 500,000 individuals will receive notifications and a renewed opportunity to enroll for the first time.

Reps. Jason Chaffetz, R-Utah, and Elijah Cummings, D-Md., the respective chairman and ranking member of the House Oversight and Government Reform Committee, as well as the chairmen and ranking members of various subcommittees, wrote to acting OPM Director Beth Cobert for documentation on how the agency plans to move employees and retirees from Winvale to ID Experts. The process, they said, “may create confusion.”

They requested OPM’s plan to communicate with hack victims on potential service impacts, how to differentiate between legitimate notifications and scams and the necessary steps for re-enrollment. OPM has said enrollees would see no disruption in service as long as they signed up with the new provider. The agency will send 600,000 notifications to those solely affected by the first hack, while those whose data were exposed in both breaches but did not sign up for protection in either case will be able to use the enrollment information sent to them last fall and winter.

The lawmakers also asked for the remaining value on the Winvale contract and how the company would staff call centers during the transition. They also requested details on what would happen to customer inquiries directed at Winvale after Dec. 1.

The oversight committee leaders demanded a plan for OPM’s communications with “federal employee representatives and other stakeholders” throughout the transition.  

Both ID Experts contracts are now set to expire at the end of 2018, at which point OPM will reassess commercial options and award a new contract.