10 Years After OPM Data Breach, Identity Protection Benefits for Affected Feds Start to Expire

The 2015 OPM breach remains a benchmark for government cyber‑risk, having compromised personal data of over 22 million current and former federal employees, applicants, and their families. In the immediate aftermath, OPM launched MyIDCare, a federally funded identity‑theft protection service that combined credit monitoring, dark‑web alerts, and insurance. Funded through the Consolidated Appropriations Act of 2017, the program was initially slated for three years but later expanded to a ten‑year horizon, reflecting congressional pressure to shield a vulnerable workforce from long‑term exploitation.

As the ten‑year term expires, OPM has opted not to extend the IDX contracts, citing the program’s $756 million price tag and a dwindling number of claims. The Government Accountability Office has labeled the spend as potentially unnecessary and disruptive to the broader identity‑theft insurance market. Meanwhile, a 2022 class‑action settlement allocated $63 million for victims experiencing financial hardship, yet only $4.8 million reached roughly 5,000 claimants before the remainder reverted to the Treasury. This outcome underscores the challenges of translating large‑scale breach remediation into tangible relief for affected individuals.

The program’s sunset raises broader questions about federal responsibility for long‑term data breach fallout. While some officials argue that a decade of coverage is sufficient, lawmakers continue to advocate for lifetime protection, warning that compromised data remains a persistent threat, especially given the alleged Chinese origin of the intrusion. As private firms like IDX pivot to market their services directly to former beneficiaries, the episode illustrates a shifting landscape where government‑backed safeguards give way to consumer‑driven solutions, placing the onus on individuals to manage their own cyber‑risk portfolios.