Health Data Exposed in Second OPM Data Breach, Officials Say
June 15, 2015 in News
On Friday, the White House announced that millions of individuals could have been affected by a second Office of Personnel Management data breach, this time targeting the agency’s security clearance database and exposing personal information such as mental health histories, the New York Times reports (Shear/Shane, New York Times, 6/12).
Officials said the hack of the security clearance database was separate from a breach of federal personnel data that was announced earlier this month.
Background on Fist OPM Data Breach
On June 4, OPM disclosed a cyber incident that could have affected up to 14 million current and former federal employees (Dilanian/Bridis, AP/San Francisco Chronicle, 6/15).
The breach was discovered in April, though the incident itself could stretch back to late last year. OPM officials were unable to say whether any data were taken, only that hackers had gained access.
Specifically, OPM CIO Donna Seymour said that the hackers were able to access information that would commonly be included in a personnel file, such as benefit elections and Social Security numbers. Seymour noted that the accessed files did not contain health care information (iHealthBeat, 6/5).
Details of Second OPM Breach
OMP spokesperson Sam Schumach said FBI investigators concluded “with a high degree of confidence” that the security clearance database had been compromised.
According to a government official who asked to remain anonymous, investigators uncovered the second breach while determining the extent of the first one.
The affected database contains copies of Standard Form 86, a questionnaire filled out by applicants for national security positions. According to the Times, the forms can include health data, such as treatments or hospitalizations for “an emotional or mental health condition,” among other information (New York Times, 6/12).
In addition, the forms include:
- Information on applicants’ contacts and relatives; and
- Social Security numbers.
Officials said that almost all security clearance holders had potentially been affected by the database breach. As of October 2014, more than four million individuals had been investigated for security clearance, government records show (AP/San Francisco Chronicle, 6/15).
Security experts and some officials say evidence from the two incidents suggest the cyberattacks were carried out by Chinese hackers.
President Obama Weighing Financial Sanctions
Meanwhile, White House press secretary Josh Earnest on Friday said that President Obama was considering the use of an executive order signed in April that would allow him to place financial sanctions on the hackers, the Times reports.
Obama signed the order following a major cyberattack on Sony Pictures (New York Times, 6/12). In that attack, documents with identifiable health information on dozens of employees were released, including their health conditions and heath care costs (iHealthBeat, 1/14).
Under the order, the Obama administration can:
- Bar U.S. residents from conducting business with groups that sponsor cyberattacks;
- Cut the cyberattack-sponsoring groups off from U.S. products and technology; and
- Freeze the groups’ assets in the U.S. (New York Times, 6/12).