A forensic investigation found the cyberattacker accessed personal and protected health information of people who purchased or attempted to purchase the company’s devices, including some names, addresses, dates of birth, Social Security numbers and medical information.