The names and information of victims of sexual abuse by members of the Catholic Archdiocese of Baltimore may have been compromised by a cybersecurity breach in early March, according to court documents filed in U.S. Bankruptcy Court.

The United States Trustees Program, which oversees bankruptcy cases for the U.S. Justice Department, says Berkeley Research Group (BRG) informed them of a cyber breach on April 28, nearly two months after the discovery of the incident.

BRG acts as a financial advisor for the Official Committee of Unsecured Creditors in the bankruptcy of the Archdiocese of Baltimore. It also advises nine other committees in other religious organization cases across the nation.

The breach is particularly troublesome because survivors have the option to remain publicly anonymous due to the sensitivity of sexual assault allegations.

“Although such a largescale data breach would be of concern to the United States Trustee in any bankruptcy case, that the breach occurred in archdiocesan and diocesan cases—where the claims information of sexual abuse survivors is the most sensitive and confidential of all information—is very concerning,” Nan Roberts Eitel, associate general counsel for Chapter 11 Practice for the U.S. Trustees Program, wrote in a letter to BRG.

BRG must respond to the U.S. Trustees Program by May 23.

The agency wants BRG to disclose what cases may have been compromised, why it delayed in notifying those impacted, what remedies the company will offer and if the company has insurance that will cover the breach.

The Baltimore Archdiocese filed for bankruptcy in fall 2023, right before the Child Victims Act went into effect.

There are as many as 1,000 claimants who are filing against the church for abuse that stems back decades.