Update: Privacy Breach Involving Office of Hearings and Appeals Indian Probate Records
On January 14, 2021, the Department of the Interior’s Office of Hearings and Appeals (OHA) discovered a data breach on its Search Decisions website that supports historical searches on publicly available decisions. OHA immediately took the Search Decisions website offline and initiated an investigation. The incident was determined to be the result of a misconfiguration and was not a cyber-attack. It involved an undetected software misconfiguration that allowed a limited number of records related to Indian probate hearings and appeals proceedings to be disclosed when searches were conducted on the site.
Due to the misconfigured setting, searches conducted on the Search Decisions website between December 13, 2019 and January 15, 2021 may have permitted unauthorized access to documents that contained the personally identifiable information of parties involved in Indian probate hearings and appeals proceedings. Based on initial findings, OHA identified 26 cases that may have been accessed that contain records of approximately 238 affected individuals. OHA provided notification to potentially affected individuals in April 2021 and offered identity protection services.
OHA also contracted with an outside specialist to conduct an independent investigation and technical analysis of the breach to ensure all potentially affected individuals were identified and appropriate measures were implemented to safeguard privacy. As a result of this further investigation, OHA has identified an additional 295 cases with 2,122 potentially affected individuals who will also receive notification letters with an offer of identity protection services at no cost to the individual.
Significant safeguards have been added to OHA’s Search Decisions website to protect internal information from being accessed from the website. On July 15, 2021, public access to the website was restored with these safeguards in place.
We deeply regret this incident and any inconvenience this may have caused to those who may have been impacted. We are committed to protecting the privacy of individuals, providing resources to those who have been affected, and ensuring this type of incident does not occur again.
Please refer to the FAQs below for more information and guidance.