Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.

The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems.

CMS didn’t say how the attackers gained access to the accounts, but said it shut off the affected accounts “immediately.”

In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data — including partial Social Security numbers, immigration status and some tax information — may have been taken.

According to the letter, the data included:

Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application;

Other information provided on the application, including expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance;

Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations;

The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount; and

If the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.

But the government said that no bank account information — including credit card numbers, or diagnostic and treatment information — was taken.