Covenant HealthCare says they’re dealing with a data breach after an unauthorized party gained access to two employee email accounts.

An investigation with cybersecurity professionals after hospital officials learning of the issue on December 21st.

The FBI discovered that a bad actor was attempting to sell login and password access to Covenant’s network on the dark web. The access being sold included two email accounts which were breached using a password spray attack.

According to the investigation and document review; the email accounts were accessed on May 4th and allowed access to personal information on 45 ,000 patients and staff- including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information.

Covenant says no evidence has been released saying any of the information has been misused, but has notified impacted individuals directly through the mail.

Some of those affected, however, did not have contact information on record.

People can also verify the information in the letter they received is accurate on the Covenant webpage.

Officials with Covenant says it has implemented extensive safeguards to prevent this type of unauthorized access again, and advises anyone  affected (or worried they may be affected) to visit the Covenant website for more information on setting up fraud & identity theft protection, fraud alerts, or security freezes on their credit files.