An internal investigation at ByteDance found that several employees accessed TikTok data for two US journalists and a “small number” of other people connected to them, according to internal emails obtained by The New York Times. That data reportedly included the reporters’ IP addresses, which were used to see if they had been nearby ByteDance employees in an attempt to figure out who was leaking documents and information to the press.

The report is the latest in a series of investigations that have turned up evidence of ByteDance employees in China having access to American TikTok users’ data and is coming out during a time when lawmakers are making moves to restrict the app. It also represents ByteDance walking back denials that it’s made in the past, at least internally.

The company’s investigation, which was conducted by an outside law firm, revealed that the unnamed journalists who had their data accessed by ByteDance’s Internal Audit team worked for BuzzFeed and The Financial Times, according to the report. The New York Times writes that at least two of those employees were based in China, while two were working from the US. This information tracks with an October report from Forbes, which alleged that ByteDance had planned on using TikTok to track the location data of specific US citizens.

When Forbes’ report came out, TikTok strongly denied it, saying that it lacked “rigor and journalistic integrity” and that the app does not collect precise GPS data. (At the time, the reporter behind the story pointed out that the company admitted to collecting approximate locations using IP addresses.) A tweet from the company’s corporate communications account said that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists” and noted that any employees using the audit system in the way Forbes described would be fired.

That’s now happened to three employees from the audit team, according to the Times, while another has resigned.

The Times’ report says that the employees accessed the information “over the summer.” The big question that remains (and that we’ve asked TikTok about but didn’t receive an immediate response to) is whether it happened before or after the company started routing US users’ data through Oracle.

That switch was flipped in June, and it was supposed to protect Americans’ data from ByteDance employees in China, as Buzzfeed News released a report that quoted TikTok employees saying that engineers overseas had “access to everything” and repeatedly accessed US users’ information. If the incident occurred after the Oracle / TikTok partnership went into effect, it’d raise serious questions about how effective the program is.

TikTok and ByteDance are already under a microscope when it comes to user data and privacy. Over a dozen states in the US have banned TikTok on government phones, and senators like Marco Rubio are working on legislation that would ban it outright in the US. Lawmakers involved with the bill say they’re concerned that the app gives the Chinese Communist Party the ability to monitor and influence Americans.

It’s not the first attempt to get rid of the app; former President Donald Trump attempted to ban it during his tenure, even declaring it a national emergency. He also demanded that ByteDance sell its American division off to a company based in the US, though that deal — like the ban itself — never came to fruition.