OPM Data Breach, Free Identity Protection Is Ending 21.5 Million Federal Employees Need to Act Before September 2026
The free identity protection provided to over 21 million current and former federal employees after the 2015 OPM data breach is running out. MyIDCare coverage provided following the 2015 OPM cybersecurity incidents was given in accordance with the Consolidated Appropriations Act for a period of 10 years, and members will be expiring over the course of FY2026 as the 10 years from the date of enrollment comes to an end. If you are a federal employee or contractor affected by that breach, your free coverage may already be gone — or it is going away soon.
| Field | Detail |
| Program Name | MyIDCare by IDX (formerly ID Experts) |
| Who Is Affected | ~21.5 million current/former federal employees, contractors, and their families |
| Coverage End Date | Rolling expiration based on individual enrollment date; full program ends September 30, 2026 |
| What Is Expiring | Free credit monitoring + $5 million identity theft insurance policy |
| Administrator | IDX (MyIDCare) |
| Official Website | opm.myidcare.com |
| Class Action Settlement | $63 million — claim period closed December 23, 2022 |
| Last Updated | May 5, 2026 |
The 2015 OPM Breach That Started All of This
In 2015, the Office of Personnel Management announced two separate cybersecurity incidents. The Social Security numbers, birthdates, and addresses of approximately 21.5 million individuals were compromised, including 19.7 million individuals who applied for background investigations and 1.8 million non-applicants — predominantly spouses or cohabitants of applicants.
The breach has been attributed to China’s intelligence apparatus. In addition to Social Security numbers and addresses, 1.1 million sets of fingerprints and detailed financial and health records were also exposed — some of the most valuable information available today on the dark web.
Congress responded by passing the Consolidated Appropriations Act of 2017, which required OPM to provide free identity protection and credit monitoring to every affected person for 10 years — up to a $5 million identity theft insurance policy through IDX’s MyIDCare platform. That was the government’s commitment. And now that commitment is expiring. For federal workers researching how other data breach class actions have handled long-term protection for victims, the AT&T $177M data breach settlement is a recent example of how courts structure relief for mass PII exposure.
Are You Still Covered — Or Has Your Protection Already Expired?
Individuals who enrolled on later dates than 2015 — and even through fiscal 2026 — will have their memberships expire on the 10-year anniversary of their enrollment. This means not everyone loses coverage on the same date. Your expiration date depends on when you personally enrolled.
You are likely still covered if you enrolled in late 2015 or later and have not yet received an expiration notice. You may have already lost coverage if you enrolled in early-to-mid 2015 and have not renewed. You are NOT covered if you never enrolled in the first place — the program was opt-in, not automatic.
If you received an expiration notice and wish to renew your coverage, you can log in to your MyIDCare account and select “Renew My Protection.” The site confirms expiration emails are legitimate.
Related article: Instructure Canvas Data Breach Lawsuit 2026, Were You Affected? Here Is What Is Happening
Why OPM Is Ending the Program — And Why Some Lawmakers Are Pushing Back
An OPM official told Federal News Network the contract has been “a waste of money,” noting the program cost taxpayers $1 billion, with the most recent annual cost at $58 million, while the insurance component paid out only $162,000 in claims since 2015, with no claims filed since 2022.
The current IDX contract continues through September 30, 2026. After the legislative requirement to offer services through the end of fiscal 2026, the contract will expire — so current and former federal employees affected by OPM’s data breach will need to consider their options for identity protection and credit monitoring services.
Not everyone agrees with that decision. Lawmakers including Del. Eleanor Holmes Norton and Rep. Dutch Ruppersberger have argued that the government should protect breach victims for the duration of their lives, noting there is no limit to how long compromised personal information can be used. Sen. Mark Warner also urged OPM’s acting director to ensure identity protection services continue, warning that millions of impacted individuals will continue to be at risk likely for the remainder of their lives. As of May 2026, no legislation extending the program has passed.
The $63 Million Class Action Settlement — Already Closed
Separate from the free monitoring program, a data breach compensation lawsuit was filed against OPM and its contractor Peraton Risk Decision Inc. Plaintiffs reached a settlement in 2022 that made $63 million available for those who could demonstrate financial hardship as a result of the breach. A federal judge closed out the case after OPM and the Treasury Department paid out just $4.8 million to just over 5,000 individuals.
The remaining $58.2 million returned to the Treasury. The claim deadline was December 23, 2022. Nearly all of the 22 million impacted by the breach no longer have any standing to sue the government or Peraton due to the hacks, except for 114 individuals who proactively asked to be excluded from the settlement.
If you missed that deadline, that claim avenue is now closed for nearly everyone affected. For people dealing with ongoing identity theft risk from this breach and researching their consumer rights options, the Conduent data breach class action shows how courts continue to handle large-scale PII exposure cases for government-adjacent contractors.
What You Should Do Right Now
Your information from the 2015 breach is permanently in the wild. Chinese state-level hackers have fingerprints, background investigation files, and Social Security numbers for millions of federal workers. That data does not expire or become harmless. Here is what you can do before September 30, 2026:
Check your MyIDCare status now. Log in at opm.myidcare.com and confirm your expiration date. If coverage has lapsed or is ending soon, you will see an option to renew at your own cost.
Place a permanent credit freeze if you have not already. This is free through all three major bureaus — Equifax, Experian, and TransUnion — and it is the most effective step you can take to prevent new accounts from being opened in your name. A credit freeze does not affect your existing accounts or credit score.
Save your enrollment records. If coverage expires and you later need to file an identity theft claim or seek compensation for damages through any future program, documentation of your original enrollment may be required.
Monitor your accounts manually. Set up free alerts through your bank and credit cards. Review your free annual credit reports at annualcreditreport.com for accounts you did not open.
Consult a consumer rights lawyer if you experience actual identity theft. If someone opens fraudulent accounts or files taxes in your name using information from this breach, you may have individual legal options worth exploring with a class action lawsuit attorney.
OPM Data Breach: Frequently Asked Questions
Is there still a class action lawsuit against OPM I can join?
No. The $63 million class action settlement against OPM and Peraton Risk Decision Inc. was finalized in 2022, and the claim deadline passed on December 23, 2022. Nearly all affected individuals no longer have standing to sue the government or Peraton, except 114 people who opted out of the settlement.
Why are some people losing coverage before September 2026?
Coverage expires on the 10-year anniversary of each individual’s enrollment date. If you enrolled in early 2015 or early 2016, your 10 years may have passed already. Log in to opm.myidcare.com to check your specific expiration date.
Do I need to do anything right now to stay protected after September 2026?
Yes, if you want to continue paid monitoring services. IDX has sent emails to subscribers offering a discount to renew their subscriptions at personal cost after government-paid coverage ends. You are not required to renew, but going without any monitoring means you will need to rely on manual credit freezes and self-monitoring.
How much did the $63 million settlement actually pay out per person?
Those eligible received a minimum of $700 and up to $10,000 if they could prove they were victims of the hack and incurred out-of-pocket expenses or lost compensable time. Only about 5,000 of the 22 million affected people received any payment.
Will losing this coverage affect my taxes?
The free monitoring service provided by OPM through IDX was not taxable income. If you receive any future settlement payments from a separate legal action related to this breach, those payments may or may not be taxable depending on what they compensate for — consult a tax professional for your specific situation.
Is the stolen OPM data still a threat after 10 years?
Yes. The federal workforce was dangerously exposed by the 2015 OPM breach, and millions of impacted individuals will continue to be at risk because of the breach, likely for the remainder of their lives. Background investigation files and fingerprint records do not become less valuable to foreign intelligence agencies over time.
Can I still enroll in MyIDCare for the first time?
The MyIDCare site is designed for those who have an existing enrollment under MyIDCare for the OPM cyber incidents or wish to renew protection. If you never originally enrolled and are seeking first-time enrollment, visit opm.myidcare.com or call OPM at 1-800-750-3004.
What did Congress do to try to extend this coverage permanently?
Del. Eleanor Holmes Norton and Rep. Dutch Ruppersberger introduced the RECOVER Act (H.R. 7236) to expand credit monitoring and identity protection to last for life. However, the program remains set to expire in 2026, and the legislation has not passed.
Sources & References
- MyIDCare Official Login and Expiration Notices: opm.myidcare.com
- Sen. Mark Warner Letter to OPM Acting Director (May 16, 2025): warner.senate.gov
- Government Executive — Settlement Funds Return to Treasury (January 2, 2025): govexec.com
- OPM Official Cybersecurity Resource Center: opm.gov/cybersecurity
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against official MyIDCare enrollment notices, OPM cybersecurity resources, and court records for In Re: U.S. Office of Personnel Management Data Security Breach Litigation, Misc. Action No. 15-1394, MDL Docket No. 2664. Last Updated: May 5, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah