In the more than three years since the government started offering identity protection services and identity theft insurance to those affected by the breaches of OPM databases, only 61 individuals have received payouts from insurance claims, averaging about $1,800 per claim, GAO has found.
GAO said that of the 22 million people—current and former federal employees, military personnel and others in a database of federal personnel files and another on people who had undergone background checks—about three million have enrolled in the services. Enrollment is still open and the benefits are to continue through 2026; some members of Congress have proposed that they be made permanent.
About 1 percent of enrollees have made identity restoration requests, and of the 81 insurance claims filed, 61 were approved, GAO said.
The services are free to enrollees but as of last November had cost OPM $361 million; shortly afterward, OPM signed a new contract with the same provider that is effectively a five-year extension with a total potential cost of $400 million.
GAO added that given the size of the claims paid so far, “the $5 million per-person coverage limit mandated by Congress likely was unnecessary and might impose costs without providing a meaningful corresponding benefit.” It noted that it previously had recommended that OMB revise its guidance to agencies on responding to data breaches by considering alternatives such as fraud alerts, credit freezes, or the agency conducting monitoring on its own.
In that earlier report, GAO also had stressed the limits of the type of protection being offered, saying for example that while identity monitoring can alert victims to misuse of certain personal information its effectiveness in addressing such theft is unclear; and while identity theft insurance covers expenses related to responding to such theft, it generally excludes direct financial losses.