The US Department of Energy (DOE) has been hacked forcing the agency to notify some 14,000 current and former staff that their information may be compromised.
A letter from the agency said compromised data included personally identifiable information (PII) which typically included names, dates of birth and medical records.
Classified data was not targeted or compromised, according to the letter obtained by The Wall Street Journal.
The DOE's cyber security office, its Office of Health, Safety and the US Security and the Office of Inspector General were working with police.
The agency would develop a “remediation plan” after the investigation into the suspected July hack concludes.
Affected employees will receive one free year of credit monitoring services.
ESET security researcher Cameron Camp said the attack was likely deliberate adding that the limited detail released on the breach meant "effort was involved".
He made general suggestions, including setting specific hours when certain data can travel outside of a firewall, and hire someone to monitor systems, to ensure network access can be cut off manually if need be.
Other experts point to the weaknesses in defensive strategies.
“Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware," Lancope security director Tom Cross said.
This is the second time the DOE has reported a data breach this year. In February, intruders accessed sensitive information, and the agency announced later that month that it spent $20 million to beef up its security.