The city of Dallas has reported 30,253 people had their personal information compromised as a result of a ransomware attack — a jump of more than 4,000 from what the city disclosed earlier this month — and the U.S. Department of Health and Human Services has opened an investigation into the breach.
An Aug. 3 report filed with HHS shows personal information was accessed through self-insured group health plans sponsored by the city of Dallas. The disclosure was first reported by the Dallas Morning News.
The department’s Office of Civil Rights is now investigating the breach, which HHS spokesperson Gabriela Sibori said in an email is done with "every large breach reported by a HIPAA regulated entity."
The length of the investigation will depend on the facts of the breach and compliance with HIPAA privacy, security and breach notification rules. There's no timeline for the investigation, but Sibori wrote the OCR announces resolutions of investigations "with a monetary payment, resolution agreement, and corrective action plan, or the imposition of a civil money penalty."
On Aug. 7, the Attorney General's office made public a report that disclosed 26,212 people were affected by the breach. That report revealed compromised data included names, addresses, Social Security information, medical and health insurance information and more.
City spokesperson Catherine Cuellar wrote in a statement the new total "includes approximately 3,000 for whom (the city of Dallas) did not have addresses for at the time of the breach and for whom media notice is being used while we try to track down addresses."
"We have strived to share the most recent and accurate information possible, and we are sharing this information – along with resources to help impacted individuals protect their sensitive information – as soon as we were able," the statement reads.
Though both reports were submitted on Aug. 3, it’s unclear why those 3,000 individuals were not initially disclosed to the public.
Hacker group Royal took responsibility for the attack and has threatened to leak city employees’ personal information.
The city has sent out approximately 27,000 letters giving employees notice of the personal data leak and offering free credit monitoring and identity theft insurance for two years.
Some have criticized city officials for not being more transparent about when and how much personal information was leaked after a spokesperson said the city knew personal information was compromised in the breach as early as June 14.
Got a tip? Email Toluwani Osibamowo at tosibamowo@kera.org. You can follow Toluwani on Twitter @tosibamowo.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gift today. Thank you.
