Hackers accessed private patient medical records at the University of Utah’s hospitals in a cyberattack that went unnoticed for nearly two months.

The hack started April 6 and continued through May 22, said U. Health spokeswoman Kylene Metzger. When the university became aware of the scam, she added, it locked down the affected accounts.

It started when several employees responded to phishing emails that appeared to be legitimate requests. Hackers were then able to gain access to their accounts. They obtained patients’ names, dates of birth, medical record numbers and some clinical care information.

The U. said Thursday that at least 1,908 patients are impacted — but they may identify more who had their records stolen.

“Our investigation is ongoing,” Metzger said. “All patients whose information is included in these email accounts will be sent letters over the coming weeks.”

Metzger said the accounts do not appear to be targeted, and there is no indication that the attacks were related to COVID-19. But the information accessed is private and sensitive.

University of Utah Health has hired a cybersecurity firm to investigate the hack, where it came from and how or if the information accessed is being used by the hackers. The university is also training employees on how to avoid falling for phishing attempts in the future and will look at creating a multistep login for anyone trying to get on its systems from outside campus.

The hack comes after a previous cyberattack on U. Health in February, when malware was installed on employees’ workstations. That also allowed access to patient records.