Gabriela Sibori, an HHS press secretary, confirmed late Wednesday that an investigation by the department’s civil rights office is ongoing and it’s unclear when the federal review will be complete. The city reported the data breach to the agency earlier this month saying personal information from 30,253 people through Dallas’ self-insured group health plans were exposed during the breach, which started April 7 but wasn’t detected by the city until May 3.
That tally is higher than the 26,212 people the city also reported earlier this month as being affected by the cyber attack to the state attorney general’s office. Catherine Cuellar, the city’s communications director, told The Dallas Morning News that the count to the attorney general’s office excluded people for whom the city didn’t have addresses.
“The 30,253 includes the approximately 3,000 for whom we did not have addresses for at the time of the breach and for whom media notice is being used while we try to track down addresses,” she said.
When asked who was included in this group, Cuellar did not immediately respond to The News.
The federal notice hones in on the ransomware attack impacting health plans. The city first gave public notice that health benefits-related information was accessed by hackers in a July 18 email from City Manager T.C. Broadnax to employees saying records maintained by the city, including information held by Dallas’ human resources department, was determined to be exposed.
City officials still haven’t publicly disclosed all the departments where information was possibly stolen as well as several other key details of the data breach, such as how it happened. The city has sent around 27,000 letters to mostly employees, retirees and their relatives giving notice that their names, home addresses, social security numbers, date of birth, medical diagnoses, and other information were exposed to hackers, and offering two years of free credit monitoring and identity theft insurance.
Dallas offers medical coverage through BlueCross BlueShield of Texas. During a City Council meeting Wednesday, Dallas officials said there were more than 11,300 employees and around 1,200 retirees enrolled in a health benefits plan through the city as of this year.
The HHS department review joins an ongoing criminal investigation into the hacking by the FBI and an internal review by the city. Dallas announced being alerted to ransomware on city servers on May 3, but disclosed in late July that hackers had been in the system downloading data from April 7 to May 4 and that officials knew data had been accessed as of June 14.
It’s not clear how much data was taken from city servers. The city has identified ransomware group Royal as responsible for the hacking. The group has threatened to release city-stored information but the leak doesn’t appear to have happened as of Wednesday.
City officials told The News last week that the city’s network was 99% restored following the cyber attack and that a review of the hacking and it’s impacts are still going on. They said it’s likely the number of people determined to be impacted by the ransomware attack will group by the fall.
The City Council last Wednesday approved setting aside nearly $8.6 million to pay vendors for hardware, software, incident response, and consulting services in response to the Royal ransomware attack.
©2023 The Dallas Morning News, Distributed by Tribune Content Agency, LLC.