(Texas Tribune/KXAN) — A massive security breach at the Texas Department of Insurance leaked the personal information of almost 2 million Texans for nearly three years, according to a state audit released last week.

The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.

TDI officials said the department was in the midst of a regularly scheduled data management audit when the department discovered the unauthorized disclosure and reported it to auditors. On March 24, after the state’s audit was completed, TDI posted a public notice acknowledging it became aware of the issue in January, the auditor’s office said.

The department worked with a forensic company to examine the information that was exposed, and they didn’t find any evidence that anyone outside of TDI used the data.

The breach occurred because of an issue in the programming code in the department’s web application that manages workers’ compensation data. The issue in the code allowed members of the public to access a protected part of that online application, the department said.

The state’s insurance department said it would provide 12 months of free credit monitoring and identity protection services to individuals whose data was breached.

TDI said it is working to improve its security policies, though they didn’t specify what exactly staff will be doing to prevent this moving forward.

This article originally appeared in The Texas Tribune at www.texastribune.org. The Texas Tribune is a nonprofit, nonpartisan media organization that informs Texans – and engages with them – about public policy, politics, government and statewide issues.