Quest Diagnostics, a New Jersey-based medical laboratory company, disclosed a data breach affecting about 34,000 people on Monday.
Digital intruders stole personal and medical information of customers—including names, dates of birth, lab results, and, in some cases, telephone numbers—Quest said in a notice posted its website. The thieves did not steal financial information such as Social Security or payment card numbers, the company said.
Attackers gained access to the data on November 26 through an improperly secured mobile app that lets patients share and store electronic health records, according to Quest (dgx). The app was called MyQuest by Care360.
Get Data Sheet, Fortune’s technology newsletter.
“When Quest Diagnostics discovered the intrusion, it immediately addressed the vulnerability,” Quest said in a statement. The company said it is now reviewing and bolstering its security posture with help from an unnamed cybersecurity firm.
Quest said it alerted victims by mail and reported the incident to law enforcement, which helping to investigate the matter. The company did not reveal additional information about the incident, which it described as an “unauthorized third-party intrusion.”
For more on hacking, watch:
Kim Gorode, a Quest spokesperson, provided an additional statement to Fortune in an email. “We deeply regret this incident and any inconvenience or concern it may have caused,” she wrote. “If individuals have any questions regarding this incident, please call 888-320-9970, Monday through Friday, between 9:00 a.m. and 7:00 p.m. Eastern Time.”