A pair of 2015 cyber breaches at OPM impacted more than 22.1 million people, but only around 5,000 ended up receiving some compensation from a $63 million settlement. Douglas Rissing / Getty Images
Feds claims just 7% of available funds from OPM breach settlement, remainder returns to Treasury
Only a few thousand current federal workers, former employees and applicants cashed in from 2015 hack.
Current federal employees, retirees and others impacted by widespread breach of personal data maintained by the Office of Personnel Management took advantage of only a small portion of the money made available in a settlement agreement following the 2015 hack.
Plaintiffs in the class action lawsuit reached a settlement in 2022 with the government that made $63 million available for those who could demonstrate financial hardship as a result of the breach. A federal judge closed out the case last month after OPM and the Treasury Department doled out just $4.8 million to just more than 5,000 individuals. The remaining $58.2 million is set to go back to the Treasury on Thursday, according to court documents last month.
OPM disclosed two data breaches in 2015: one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families. Those individuals were eligible to receive a minimum of $700 and up to $10,000 from the agreement if they could prove they were victims of the hack and incurred out-of-pocket expenses or lost compensable time. More than 22.1 million people were impacted by the breaches.
More than 27,000 impacted individuals filed a claim, though less than 20% were deemed payable after all disputes were resolved.
OPM and its contractor, now known as Peraton Risk Decision Inc., did not admit guilt as part of the settlement and were not responsible for making payment determinations to class members. That role fell to Epiq, the firm overseeing the implementation of the agreement.
The defendants also already agreed to pay the plaintiffs’ attorneys from Girard Sharp LLP $7 million in fees.
Dan Girard, a partner at the firm, said the plaintiffs thought the settlement was implemented successfully according to its terms and every claimant who submitted the required proof received compensation.
“The Information Privacy Act, the only claim that survived on appeal, allows for recovery only on proof of compensable loss,” Girard said. “Individuals who made claims were given multiple opportunities to submit the simplified proof called for under the terms of the settlement.”
Nearly all of the 22 million impacted by the breach no longer have any standing to sue the government or Peraton due to the hacks, except for 114 individuals who proactively asked to be excluded from the settlement.
In order to qualify for the payouts, hack victims had to show they purchased their own credit monitoring or identity theft protection services, accessed a credit report or made efforts to mitigate an identity theft incident. Epiq reviewed and audited all claims that it received. Individuals had to affirmatively make a claim to be eligible for monetary compensation on a website set up for that purpose. They were encouraged to provide documentation of their related expenses, for which they could be compensated up to $10,000.
Epiq provided notices to hack victims of the settlement and oversaw an advertising campaign to raise awareness of it.
Congress previously mandated that OPM provide victims 10 years of credit monitoring and identity theft protections. The agency has signed two contracts with ID Experts to provide the services, the first worth $340 million and the second worth up to $416 million. The Government Accountability Office has criticized OPM for overpaying for the services, saying the level of coverage is “likely unnecessary” and may be distorting the identity theft insurance market.