AdventHealth Medical Group Pulmonary and Sleep Medicine officials are warning up to 42,000 of their patients of a 16-month-long data breach at the facility that exposed their personal and health information.

The breach was discovered on December 27, 2018, but had been taking place since August 2017, according to HIPAA Journal. The medical facility, which is located in Taveras, Fla., has not yet learned how the malware was installed nor why it was able to remain undetected for so long.

However, AdventHealth was able to determine the malware gave the malicious actors access to patient names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height.

HIPAA Journal said AdventHealth has removed the malware and increased its cybersecurity audits and is offering credit monitoring for the victims.