Shields Health Care Group, a Massachusetts-based company involved with imaging and health management services, has announced a major hack that could have exposed sensitive information for up to two million people. The company learned of the attack on March 28th, and after an investigation it found that a malicious actor had access to some of its systems between March 7th and 20th. 

Crucially, the hack included sensitive information like social security numbers, medical record information, patient IDs and insurance details. The company claims there isn’t any evidence of identity theft from the incident, but there’s still a chance customers could be compromised down the line. 

“Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough  investigation to confirm the nature and scope of the activity and to determine who may be affected,” the company said in a statement. “Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.”

Shields says it has contacted the FBI, as well as local and state regulators, about the incident. According to the AP, the FBI isn’t commenting on the attack yet. Moving forward, Shields says it will contact customers once it learns who’s affected.