Social Security and credit card numbers may have been lost in healthcare data privacy incident.

The personal information of around 35,000 ATI Physical Therapy patients may have been compromised after a hacker gained access to employee email accounts earlier this year.

Chicago-based ATI, which operates hundreds of physical therapy facilities across 25 US states, said it discovered in January that certain employees’ direct deposit information had been changed in its payroll platform.

A subsequent investigation revealed that some employee email accounts had been accessed without authorization between January 9 and 12, and that patient information was included in one or more of these accounts.

ATI said the unauthorized actor had access to a wealth of patient information, including name, date of birth, driver’s license number, Social Security number, credit card number, financial account number, patient identification number, Medicare or Medicaid identification number, medical record number, diagnosis, disability code, treatment information, and prescription information.

“While our investigation is ongoing, we do not currently have any evidence of actual or attempted misuse of patient information as a result of this incident,” the company stated. “The type of information affected varies per impacted individual.”

The physical therapy group said it is working with local law enforcement agencies and regulators, and would be mailing notices to affected patients.

“ATI is providing potentially impacted individuals access to free credit monitoring services,” the security advisory read. “Information on these services is included in the notice letters that are being mailed to affected individuals.”