The ransomware attack that hit the city of Dallas earlier this year affected 26,212 people, according to a report filed with the Texas Attorney General's Office.
The data security breach report — which was filed Thursday and made public Monday — says names, addresses, Social Security numbers, medical information and health insurance information were all compromised in the attack. The findings were first reported by the Dallas Morning News.
The compromised personal information includes names, addresses, Social Security numbers, medical and health insurance information, and "other," according to the report.
Reporting the breach is required under state law and comes more than three months after the city disclosed the cyber attack to the public.
Citing an ongoing criminal investigation, the city has withheld many details on the nature and scope of the breach. A spokesperson reiterated the city's found no additional suspicious activity, and confirmed some members of the public would likely receive notices that their data was breached.
Chief Information Officer Bill Zielinski is expected to provide an update to the Dallas City Council on Sept. 6.
The city has come under fire for its handling of the breach. For weeks, Dallas officials claimed no sensitive information was accessed. But on Friday, the city confirmed it had known personnel information was likely compromised as early as June 14.
In response, the Dallas firefighters' union took to Twitter to call for accountability from City Manager T.C. Broadnax.
Don't know how long this council will tolerate his behavior and arrogance. From the beginning the DFFA and DPA demanded protection only to be told that we had nothing to worry about. Time to pack up and go Mr. Broadnax
— Dallas Fire Fighters (@DFFA58) August 3, 2023
Fire union members were among those impacted, according to Dallas Fire Fighters Association President Jim McDade. He told KERA News even his son's personal information was leaked.
"It's just out there," McDade said. "These are our children that don't even work for the city of Dallas."
McDade added the city has provided identity theft protection and credit monitoring for 24 months.
"It's the first step, but I wish we weren't at this point right now," he said.
The hacker group Royal has taken responsibility for the attack, and threatened to leak sensitive information via their blog just a few weeks after the attack.
The report says the city has provided notice to the people impacted.
Anyone who received a notification that their information was compromised should call the city's help desk at (833)627-2708 between 8 a.m. and 8 p.m.
KERA's Nathan Collins contributed to this report.