The State Bar of California revealed Monday, March 14, that the public release of confidential attorney discipline records was more widespread than initially reported, but said only a fraction of the complaints was ever viewed.

At the same time, the agency said it would notify all complainants, witnesses, and respondents whose names appeared in the 322,525 records available on the internet since October 2021. Initially, the State Bar said, a public records aggregator, had published an estimated 260,000 discipline records along with about 60,000 public State Bar court cases until the website became inaccessible late last month.

“The State Bar takes the data breach seriously and is devoting significant resources to assess its impact and pursue all available remedies,” Executive Director Leah Wilson said. “While the State Bar is still actively investigating this incident, our commitment to transparency has and will continue to result in regular and timely updates on the process as it unfolds.”

Wilson said the initial estimate of the number of breached records was based on manual searches performed on the judyrecords site before the State Bar data was taken offline. “Judyrecords subsequently provided us with a complete copy of the State Bar’s data from its site, which enabled us to more accurately inventory both the public and confidential records available and viewed,” she said.

In addition to the 322,525 confidential records available online, the State Bar said judyrecords published 47,964 public court records. Of the discipline records, 188 include personal information, with 159 pertaining to inactive State Bar memberships due to mental illness or substance abuse. One record included a Social Security number.

However, only 1,034 of the confidential records and 60 of the public records were viewed, the State Bar said. Of the confidential records viewed, six contained personal information.

The State Bar maintains there was no malicious hack of its computer system. The data breach appears to have been caused by a previously unknown security vulnerability in the State Bar’s Odyssey case management portal that allowed the nonpublic records to be unintentionally swept up by judyrecords when it accessed public records..

Texas-based Tyler Technologies said on its website it is working with its clients to ensure their data remains secure.

The State Bar has retained  Cooley LLP, a nationally known law firm that specializes in cyber and data privacy, to provide advice on the breach.

Most of the costs associated with those services will be covered by the State Bar’s insurance carrier. The State Bar also plans to seek reimbursements from Tyler Technologies.