Yes they’re absolutely responsible. It’s not the job of affected citizens to police the choices of this agency or account for such risks. They can reasonably expect competence and safe handling of their private information, and the consequences of third party choices should be borne by the agency who hired them. They are also free to pursue action against that third party but it is ultimately their problem to own. Unfortunately that may not help anyone if the third party just folds and declares bankruptcy when they face lawsuits.