The U.S. Department of Health and Human Services is now reportedly investigating Dallas’ purported ransomware attack.
Health and Human Services’ civil rights office is looking into the attack from earlier this year, according to The Dallas Morning News. It is not clear when the investigation will be complete.
The ransomware attack was apparently initiated on April 7 but was not detected by Dallas officials until May 3.
Personal information from 30,253 current and retired city employees and their family members was exposed during the breach, the City told HSS — 4,000 more than the 26,212 Dallas reported to the state attorney general’s office.
“The 30,253 includes the approximately 3,000 for whom we did not have addresses … at the time of the breach and for whom media notice is being used while we try to track down addresses,” City Communications Director Catherine Cuellar told the DMN.
A leaked email from City Manager T.C. Broadnax to City employees first indicated that sensitive employee information maintained by the City’s Human Resources Department had been compromised, The Dallas Express reported.
But a subsequent data security breach report from the Texas Attorney General’s website revealed that the damage was far-reaching: 26,212 Texans were affected by the attack, and children were among those whose information was stolen, as The Dallas Express reported.
Now comes the increase to 30,253. Data from Dallas’ self-insured group health plans was also exposed, per the DMN.
Cybersecurity expert Andrew Sternke told CBS Texas that children can be impacted into adulthood if their personal data are compromised.
“This information is released out onto the dark web to be sold,” he said. “When that kid turns 18, it’s a free-for-all, and that’s another concerning aspect: that it’s not just the adults we have to worry about.”
Some City employees have apparently already reported identity theft.
“Unfortunately, it was what I expected,” Dallas Fire Fighters Association President Jim McDade told CBS. “That’s why I took out the identity theft protection back in May.”
As previously reported by The Dallas Express, the City at first claimed that there was no indication personal data had been leaked.
“That false sense of security created a long period of time that employees could have taken protective steps. Seems very disingenuous,” Dallas Police Association President Mike Mata previously told The Dallas Express.