Pfizer this week confirmed that the personal data of as many as 34,000 people may have been illegally accessed and downloaded from a company computer system by a former employee.
The compromised information includes names, Social Security numbers, dates of birth, phone numbers, and bank and credit card information of employees, former employees and health care workers, the New York-based drug maker said.
A spokeswoman for Pfizer said the incident, discovered on July 10, occurred sometime late last year.
The pharmaceutical company began notifying people by mail of the breach on August 24 — more than six weeks after it learned of the incident.
In the letter, Pfizer said that "the number of affected individuals is still an estimate" because outside consultants are continuing to analyse the exposed data.
The spokeswoman would not disclose where the breach occurred or how the company discovered it. Nor would she disclose why Pfizer waited more than a month to inform people that their personal data may have been exposed.
She did say that so far the compromised information doesn't appear to have been misused.
This is the third time this summer that Pfizer has disclosed a breach in which confidential data was exposed.
In June, the company reported that a Pfizer employee had installed unauthorised file-sharing software on a company laptop, exposing personal data belonging to about 17,000 current and former employees.
That announcement also came about six weeks after the drug maker learned of the breach.
A month later, the company reported that two laptops containing confidential employee data as well as proprietary company information were stolen out of the locked car of an employee working for Axia, a contractor for Pfizer.