Bristol-Myers Squibb Co. (BMY) said a backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently.
The New York drug maker learned of the theft on June 4, and began notifying current and former employees by letter in the past few days, spokeswoman Tracy Furey told Dow Jones Newswires Thursday afternoon.
It was the latest in a series of security breaches involving customer or employee data in the corporate world. A Bristol-Myers rival, Pfizer Inc. (PFE), said last year that personal data for some of its current and former employees were exposed.
The Bristol-Myers backup data tape was stolen while being transported from a storage facility, Furey said. She declined to say where the incident happened, noting there was an active investigation. The company has reported the theft to law-enforcement authorities.
"We regret that this incident occurred and we are committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape," Furey said. "We're committed to protecting the privacy and security of employees, and maintaining their trust and confidence is paramount to us."
Bristol-Myers is offering a free credit-monitoring service for one year to affected people, to help detect possible misuse of the personal data. The company also said it's taking steps to enhance security procedures surrounding personal information and backup data tapes.
Furey declined to say how many people were affected. Bristol, which markets the blood-thinning drug Plavix and Enfamil baby formula, had about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.
The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information, the company said. Data for some employees' family members also were on the tape.
Bristol has "no reason to believe that any of the personal information on the data tape has been inappropriately accessed by any unauthorized party, or that any identify theft, fraud or misuse of information has occurred," Furey said.
Although Bristol learned of the data theft on June 4, it only began notifying employees in recent days because the data were encoded and had to be reconstructed, Furey said. A forensics investigation had to be conducted to determine whether the data were at risk. As soon as the risk was determined, Bristol-Myers notified the affected people, she said.
The data theft was mentioned on pharmaceutical-themed Web sites in recent days, including Pharmalot.com, which posted a copy of a letter sent to employees.