OPM to Rebid Identity Theft Protection Contract Affecting Millions of Hack Victims

Millions of current and former federal employees could soon have a new company providing them with credit monitoring and identity theft protections, as the Office of Personnel Management plans to rebid a contract worth hundreds of millions of dollars.

The current contract, which OPM signed with ID Experts in the wake of two data breaches unveiled in 2015 that affected more than 20 million federal employees, retirees and their family members, is set to expire at the end of the year. OPM has already obligated the full $340 million value of that contract.

The agreement lasted only for three years, but Congress has since mandated that the hack victims receive 10 years of protections. According to an OPM spokesperson, the contract is being recompeted. If, as a result of that competitive solicitation, OPM chooses a vendor other than ID Experts, the agency has prepared a “six-month transition” that would last through July 1, 2019, the spokesperson said. If ID Experts is once again selected, then “there will be no change to the enrolled population.”

The spokesperson did not elaborate on how long the new contract will last or the exact timing of the solicitation. Ken Thomas, president of the National Active and Retired Federal Employees Association, called on OPM to provide more transparency of its planning. 

"If OPM is truly committed to assisting the victims find some sense of security and normalcy, OPM must provide them with timely notification and reassuring information regarding their identity theft protection and insurance for the next seven years," Thomas said, adding that OPM's opacity and delayed action have created "more questions than answers." 

ID Experts is currently providing protections to victims of two different breaches. The first exposed personnel files of 4.2 million current and former federal employees and the second involved the personal information in background investigations of 21.5 million employees, contractors, applicants and family members. About 3.4 million people signed up for the protections as of 2016, according to OPM.

The agency did not detail when it expects to complete the rebidding process. After the breaches, the General Services Administration announced a Blanket Purchase Agreement that prescreened potential vendors for identity theft protection services for federal agencies. Three companies were included in the BPA, which lasts through August 2020.  In addition to ID Experts, GSA identified Massachusetts-based Identityforce and Michigan-based Ladlas Prince for prioritized selection.

Hack victims enrolled in the program are currently receiving a “suite of services,” including full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuing credit monitoring and fraud monitoring services beyond credit files. They also are eligible for up to $5 million in identity theft insurance. ID Experts was required to establish call centers that operate 12 hours per day, six days per week.

Some lawmakers have pushed for hack victims to receive lifetime protections, and federal employee groups are fighting for that outcome in federal court. The Government Accountability Office has criticized OPM for overpaying for the services, saying the level of coverage is “likely unnecessary” and may be distorting the identity theft insurance market.

There are no known, verified instances of OPM data being released to criminals.

This story has been updated with additional comment.