Chair Cassidy Seeks Answers on Opexus Cyber Breach, Calls for More Safeguards

WASHINGTON - U.S. Senator Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, rebuked OPEXUS for failing to safeguard sensitive federal government information. Opexus, a major software service contractor for the U.S. government, was breached early last year by a cyber incident.

This comes after two former OPEXUS employees, both with a history of hacking federal agencies, destroyed and stole numerous government documents, including those belonging to the Equal Employment Opportunity Commission (EEOC). These two employees have since been criminally charged for the breach.

"At a time when cybersecurity incidents are only increasing in frequency, it is important that those who have access to this data take their responsibility to protect public and private stakeholders seriously," wrote Dr. Cassidy. "These incidents raise significant concerns about OPEXUS's internal processes to safeguard sensitive information."

Read the full letter here or below:

Dear Mr. Langsam:

Securing access to critical information technology (IT) is essential to ensure that sensitive government and consumer information is not misused. At a time when cybersecurity incidents are only increasing in frequency, it is important that those who have access to this data take their responsibility to protect public and private stakeholders seriously.

The recent cybersecurity breach involving OPEXUS raises questions about the company's commitment to robust cyber practices. OPEXUS offers a number of products for state, local, and federal agencies, including tools to manage Freedom of Information Act (FOIA) requests, workflow management, and agency audit and investigation activities. OPEXUS explicitly states that "security should be at the forefront of everything we do."¹

Contrary to this stated commitment, OPEXUS recently employed two individuals who previously pleaded guilty and received prison sentences for hacking federal agencies, specifically the Department of State.² Despite their criminal records, OPEXUS was unaware of this information when the two individuals were hired in 2023 and 2024, respectively, although OPEXUS claims that both individuals underwent background checks prior to their employment.³

After learning about their criminal history in February 2025, the two individuals were terminated.⁴ However, prior to losing access to OPEXUS' systems, these individuals allegedly destroyed and exfiltrated a number of government documents, including those belonging to the Equal Employment Opportunity Commission (EEOC).⁵ This incident resulted in several federal agencies temporarily losing access to its FOIA systems.⁶

These developments raise significant concerns about OPEXUS' internal processes to safeguard sensitive information. To that end, I ask that you answer the following questions by February 24, 2026.

1. On February 18, 2025, OPEXUS terminated the two employees in question.⁷ However, the two employees still had access to OPEXUS' internal systems and allegedly deleted 96 government databases and exfiltrated approximately 1,800 files belonging to the EEOC.⁸

1. Why did OPEXUS not immediately terminate the two employees' access to its internal systems?

1. What safeguards did OPEXUS have in place to limit the deletion or exfiltration of such data?

1. Was OPEXUS able to recover the databases allegedly deleted by the two employees?

1. OPEXUS states that it works with many government agencies and supports 78% of agencies in processing FOIA requests. Has OPEXUS identified what government agencies were impacted by the cybersecurity incident? If so, please provide a list of impacted agencies.

1. How is OPEXUS working with federal agencies to identify what information was inappropriately accessed and to remediate any security risks?

1. OPEXUS is currently certified under the Federal Risk and Authorization Management Program (FedRAMP). As part of that certification, contractors must have personnel screening policies in place.⁹

1. How does OPEXUS screen prospective employees prior to employment?

1. Does OPEXUS conduct audits or additional screening of current employees?

1. OPEXUS has previously stated that the two terminated employees had undergone background checks prior their employment, but that "additional diligence should have been applied."

1. What lapses to OPEXUS' pre-employment processes has it identified that led to the two terminated employees prior criminal convictions being missed?

1. What remedial steps has OPEXUS implemented to its pre-employment processes?

1. Since 2020, how many employees or former employees has OPEXUS terminated due to potential security vulnerabilities? If applicable, please provide the number of terminations by year, including the potential vulnerability OPEXUS identified.

1. OPEXUS' negligence caused some Americans' personally identifiable information to be exposed.

1. Has OPEXUS provided credit monitoring at no cost to individuals impacted by the cybersecurity incident? If not, will OPEXUS commit to doing so?

1. Has OPEXUS agreed to indemnify against any financial losses as a result of the cybersecurity incident? If not, will OPEXUS commit to doing so?

###

For all news and updates from HELP Republicans, visit our website or Twitterat @GOPHELP.