Privacy Breach Involving Office of Hearings and Appeals Indian Probate Records

On January 14, 2021, the Office of Hearings and Appeals (OHA) was notified by an OHA employee that a search conducted on the OHA “Search Decisions” public website had resulted in the unauthorized disclosure of records related to Indian probate hearings and appeals proceedings. The OHA immediately took the website offline and started an investigation.

The cause of the incident involved an undetected software issue that allowed a limited number of restricted records to be potentially accessed when specific searches were conducted on the site. The incident was determined to be the result of a misconfiguration and was not a cyber-attack. The issue has been resolved and the DOI is working to review its processes and identify corrective actions. As a result of the incident, the personally identifiable information of individuals whose information was contained in the records was potentially accessible to public users who were utilizing the search function.

OHA was initially informed by an OHA employee that a search conducted on the OHA “Search Decisions” public website could potentially access copies of records related to Indian probate hearings and appeals proceedings that were not authorized for public release. Upon notification, OHA worked with the Office of the Chief Information Officer to contain the breach and investigate the extent of the compromise.

Individuals who are parties in Indian probate hearings and appeals proceedings, including possible heirs, were potentially impacted by the breach. OHA took immediate steps to determine the potential risks and identify potentially affected individuals. OHA is sending notification letters to individuals whose information may have been compromised. Affected individuals are encouraged to monitor their financial information and be suspicious of unusual unsolicited phone calls, visits, or email messages from individuals asking for information. Individuals who receive a notification letter will be offered identity protection services at no cost to them.

This incident involves records related to Indian probate hearings and appeals. These records may contain information of decedents and all potential heirs, including parents, siblings, spouses, children, grandchildren, and other family members who are parties to the probate case.

Notifications will be sent to parents or legal guardians of minors who may have been impacted.

Surviving spouses of decedents may also be impacted due to the heightened risk of identity fraud that may impact the deceased individual's estate. This creates liability for a surviving spouse if, for example, his or her name is on joint accounts. Surviving spouses may send death certificates to the Internal Revenue Service and major credit bureaus with a request to place a "deceased alert" on the account to prevent new activity.

The information contained in the Indian probate records vary by case and may have included name, address, date of birth, place of birth, contact information, Tribal enrollment number, BIA identification number, degree of Indian blood, family relationship, information on marriages and divorce, or adoption records. A limited number of individuals’ records included Social Security numbers. At this time, we cannot confirm whether any information was actually misused in any way. However, we are offering identity protection services for potentially affected individuals for a period of twelve months at no cost to them and are asking individuals to be vigilant and take precautionary measures to protect themselves.

OHA worked with Department offices to conduct a thorough investigation that included technical evaluations of system configurations, logs, and an in-depth assessment of case files and data elements to assess the risks to potentially affected individuals. These assessments required extensive coordination with multiple organizations to ensure DOI and OHA identified the scope of the incident and the individuals who are potentially affected. In April 2021, OHA notified potentially affected individuals of the breach and offered credit monitoring and identity protection services for one year. OHA subsequently contracted with a privacy breach specialist to conduct a deeper analysis of the incident and identify any additional potentially affected individuals. These investigations required sophisticated technical scans, analysis, and manual reviews that occurred over several months. As a result of this analysis, OHA identified an additional 295 cases with 2,122 potentially affected individuals and is notifying these individuals and offering identity protection services for one year at no cost to them.

Following the initial investigation and notification of individuals in April 2021, the Department and OHA contracted with a privacy breach specialist for additional analysis of the data. Several more sophisticated scanning tools and cross-checking initiatives were completed. As a result of this analysis, OHA identified an additional 295 cases with 2,122 potentially affected individuals who will also receive notification letters with an offer of identity protection services for one year at no cost to them.

OHA worked with the Department’s experts to identify process improvements and security protocols to protect sensitive data and determine how best to protect data going forward. These efforts include full separation of publicly available data from internal case files. Information meant to be available to the public and data deemed to be internal are now on separate servers with separate licenses. Public and internal search capabilities are now maintained separately to prevent any compromise of internal files through the public search function. In addition, while not a factor in the breach, OHA reviewed its internal processes used to upload data appropriately separating publicly available data from that which should remain internal only.

Individuals who were a party to an Indian probate hearing or appeal that was decided by OHA were potentially impacted. If you believe you were impacted and did not receive a notification letter, you may contact the ID Care Specialist Call Center at 1-800-939-4170.

We recommend you take advantage of the identity protection services provided at no cost to you. As with any potential compromise of personal information, you can protect yourself by requesting that a fraud alert be placed on your credit file to let potential creditors know to contact you before opening a new account in your name. You should also be alert to unsolicited or suspicious requests for sensitive personal information as well as financial information.

Surviving spouses of decedents may also be impacted due to the heightened risk of identity fraud that may impact the deceased individual's estate. Surviving spouses may send death certificates to the Internal Revenue Service and major credit bureaus with a request to place a "deceased alert" on the account to prevent new activity.

1. A fraud alert lets creditors know to contact you before opening new accounts, approving loans, or making changes to any existing credit sources. Please note that if you place a fraud alert on your file, you may find it more difficult to get new credit while the fraud alert is in effect. You can place a 90-day "initial fraud alert" on your file by calling just one of the three nationwide credit reporting companies at the phone numbers listed below. Once you place a fraud alert on your credit files, you are entitled to a free copy of your credit report. To request a fraud alert to let potential creditors know to contact you before opening a new account in your name, please contact the credit rating agencies at the below listed numbers. You will then receive letters from all of them with instructions on how to get a free copy of your credit report from each agency:

   Experian - 1-888-397-3742
   https://www.experian.com/fraud/center.html

   Equifax - 1-800-525-6285
   https://www.equifax.com/personal/credit-report-services/

   TransUnion - 1-800-680-7289
   https://www.transunion.com/fraud-victim-resource/place-fraud-alert

2. You are entitled to an annual free copy of your credit report. Once you receive notice that the alert has been placed, you should contact each of the three credit reporting agencies annually to order a free report, allowing 4 months between each request. You can order your credit report online at http://www.annualcreditreport.com; by phone, toll-free, at 1-877-322-8228; or by completing the Annual Credit Report Request Form and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

   When you receive your credit reports, you should review them carefully for accounts that you did not open or inquiries from creditors that you did not initiate. You should also look at the personal information, including the home address and Social Security number, to ensure that it is accurate. If you see anything that you do not recognize or understand, you should contact the credit reporting agency at the number provided.

   If you do find suspicious activity on your credit reports, call your local police or sheriff’s office and file a report of identity theft. You should obtain a copy of the police report, as you may need to provide a copy to creditors to clear up any affected records. Even if you do not find any signs of suspicious activity, we recommend that you check your credit reports every three months for the next year. Call one of the numbers above to order your report and keep the fraud alert in place.

3. You should continue to follow this process for a period of 12-24 months. When you receive your credit reports, review the personal information for accuracy. Also, carefully review the reports for accounts that you did not open or for inquiries from creditors that you did not initiate. If you see anything that is inaccurate or that you do not recognize or understand, you should immediately call the credit agency at the phone number or website listed on the report. If you find any suspicious activity on your credit reports, promptly file a report with your local police department and the Federal Trade Commission (www.ftc.gov).

If you become aware of suspicious or any unusual activity with your accounts, you should immediately notify your financial institution and file a police report with your local police or sheriff’s office in the community where the identity theft took place.  For information regarding identity theft and how to protect yourself, visit the Federal Trade Commission (FTC) website at https://www.consumer.ftc.gov/topics/identity-theft

Yes, OHA has offered identity protection services for a period of one year to the individuals notified by letter. Instructions for obtaining this service, including website and activation codes, are provided in the notification letters sent to affected individuals. You should consider utilizing this service to monitor your personal identity. You may be required to provide personally identifiable information to enroll in the service.  

We take our responsibility to protect your personal information very seriously and are worked to address the compromise and ensure the appropriate controls are in place to protect the privacy and security of information. The OHA Search Decisions website was immediately taken offline. OHA took immediate steps to determine the potential risks and identify potentially impacted individuals and worked with other Departmental offices to investigate and determine the scope of the incident.

OHA has implemented technical fixes to address the issue related to the breach. As an additional precaution, OHA reviewed its business processes to implement best practices to keep secure the information it is entrusted with and protect the privacy of individuals. Once these steps were completed, OHA was given approval to reopen public access to its Search Decisions website.

OHA is sending notification letters to individuals whose information may have been compromised and is offering identity protection services at no cost to them. We are also recommending individuals take precautionary measures to protect themselves, including requesting fraud alerts on their credit reports, and being vigilant about unsolicited communications from individuals asking to verify personal information. Potentially affected individuals are encouraged to monitor their financial information and be suspicious of unusual unsolicited phone calls, visits, or email messages from individuals asking for information.

• For information regarding identity theft and how to protect yourself, visit the Federal Trade Commission (FTC) website at https://www.consumer.ftc.gov/topics/identity-theft

• Be vigilant and carefully monitor bank accounts, credit card accounts, and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved. Review your transactions to make sure no one misused your account. Call the fraud department if you find fraudulent charges or withdrawals and have them removed.

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking for personal information. Legitimate organizations do not contact you in this manner. If you are contacted by anyone asking for your personal information in relation to this incident, do not provide it. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company before providing information of any kind by phone, email, or any other means.

• Do not provide personal information about yourself unless you are certain of a person’s authority to have the information.

• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following (i.e., clicking on) links sent in email.

• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

• Do not send sensitive information over the Internet before checking a website’s security. See security tips for Protecting Your Privacy at https://www.us-cert.gov/ncas/tips/ST04-013, and the FTC’s Identity Theft website at https://www.consumer.ftc.gov/topics/identity-theft for more information.

• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. See security tips on Understanding Anti-Virus Software at https://www.us-cert.gov/ncas/tips/ST04-005, and Reducing Spam at https://www.us-cert.gov/ncas/tips/ST04-007 for more information.

• Take advantage of any anti-phishing features offered by your email provider and web browser.

• Review your bank and credit card statements carefully and often for unauthorized or unusual activity, and immediately look into any statements that don’t show up when you expect them.

• Protect your privacy by shredding any documents with personal and financial information.