DALLAS — It's been more than three months since the City of Dallas discovered it suffered a ransomware attack.
In the initial weeks, police, fire, courts and other city services were down. As the months passed, many city employees have learned their personal information was exposed too.
In early August, the United States Department of Health and Human Services Office for Civil Rights started investigating. According to DHHS, 30,253 individuals are affected. These are people who are part of the city's self-insured group health plans.
The breach was submitted to the federal agency on Aug. 3, three months after the attack was found on May 3.
According to DHHS, "A HIPAA covered entity has up to 60 days to report a large breach (affects 500 or more individuals) of unsecured protected health information to the HHS Office for Civil Rights, individuals affected by the breach, and in some instances the media."
Some city employees confirmed to WFAA that their spouse and children's data has been compromised too.
A retired Dallas Police lieutenant received a letter last week informing her that her information was at risk. In part, the letter read, "Our investigation to date has indicated that some of your sensitive personal information was impacted. The information included your name, address, SSN, Date of Birth, Insurance Information, Clinical Information, Claims Information, Diagnosis."
Dallas Police Association President Michael Mata said his biggest concern is the lack of transparency from the city.
"The city should have taken proactive steps in the very beginning, rather than having to be pushed for it," Mata said. "We advocated years ago to separate our databases from the city to prevent this from happening. And that was not done. So, hopefully the city realizes that there are some city services and those critical infrastructures that have to maintain service availability."
The City of Dallas said networks are 99% restored. The city is also offering two years of free credit monitoring to those impacted. Dallas City Council, last week, approved $8.6 million to pay for services related to the breach.