Yes, we did find that individuals who did some of the security testing did not have the security clearances that were required by the contract. However, that security testing was done in a test environment. It still raises a concern, because a person could potentially be identifying the vulnerabilities of the application, but they did not have access to individuals' data, since it was in a test environment.
On February 14th, 2024. See this statement in context.