It’s never good to disclose PII. Dropping vulns after responsible disclosure is mostly considered ok, not so much with PII - it’s not the victims fault and can be damaging longer term.

If the vendor refuses to fix the issue, providing the media with enough redacted info to have them publish a story will force the vendors hand.