The Boston Teachers Union Health and Welfare Fund began notifying 506 of its members that their names and Social Security numbers were mistakenly made available in search results for a Web site maintained by Classic Optical, the parent company of Classic Administrative Services (h/t DataBreaches.net).
According to a letter [PDF file] sent to the New Hampshire Attorney General by Fund Administrator Eugene McGlynn, the data exposure was a result of a coding loophole, which was fixed within one day of the breach's discovery in April.
The Fund is also ensuring that members' personal information is transmitted to vendors in an encrypted format in the future, and is transitioning away from using Social Security numbers for the determination of members' eligibility for vision benefits.
"Because the security breach was inadvertent, law enforcement has not been contacted," McGlynn wrote. "The Fund has no evidence that the personal information has been used for fraudulent purposes, but will be offering credit monitoring services to those whose Social Security numbers have been exposed."
All those affected are being offered one year of free identity protection from AllClear ID.