The personal information of 1.8 million Texas residents who filed insurance claims with the Texas Department of Insurance was exposed and publicly accessible for almost three years, according to a recently published state audit.

News of the security lapse was first disclosed by the department in March, almost three months months after it first became aware of the exposed data in January during the course of a preplanned data management audit.

The department said that it became aware of a security issue with the web application that manages workers’ compensation information and took the site offline to fix, and said it was notifying residents who filed claims between March 2019 and January 2022 that their names, addresses, dates of birth, phone numbers, their Social Security numbers and details of their claims were affected by the exposure.

The state did not provide details of the security incident. But a state audit published this month revealed that residents’ personal information was inadvertently exposed to the internet because of “programming code that allowed internet access to a protected area of the application.”

The department said in an updated post that a forensic investigation “could not conclusively rule out that certain information on the web application was accessed outside of TDI.” The department did not name the forensics company that carried out the investigation.

The Texas Department of Insurance oversees and enforces the insurance industry in Texas, and serves as an arbitrator in disputes between an employee, their employer and insurance carriers, according to The Texas Tribune, which first reported the news.

In 2018, TechCrunch reported that over 14 million detailed Texas voter records were left online on an unprotected web server. The data was originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data.