A months-long cyberattack on the University of California, Los Angeles hospital system put at risk the personal information for up to 4.5 million people, officials said Friday.

UCLA Health said in a statement that while there’s no evidence hackers acquired personal or medical data, it can’t be ruled out yet.

Officials said they were working with the FBI to track the source of the attacks.

The FBI said in a statement that the agency was looking into the nature and scope of the cyberattack, as well as the person or group responsible.

University of California President Janet Napolitano ordered an outside cybersecurity group to assess the computer security system throughout the UC system and look for potential vulnerabilities.

Beginning as early as September 2014, hackers accessed a UCLA Health network that contains “personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information,” the UCLA statement said.

UCLA Health has hired private computer forensic experts to further secure information at its four hospitals. Free identity-protection services will be offered to people who may have been affected.

“We sincerely regret any impact this incident may have on those we serve,” said Dr. James Atkinson, UCLA Health’s interim associate vice chancellor and president. “We have taken significant steps to further protect data and strengthen our network against another cyber-attack.”

UCLA Health includes four hospitals on two campuses – Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children’s Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA – and more than 150 primary and specialty offices throughout Southern California.

Source: Associated Press