Philadelphia disclosed a cyberattack almost five months after it first detected suspicious activity in the city’s email system that may have exposed some individuals' sensitive information.

A threat actor “may have gained access to certain city email accounts and certain information contained therein,” beginning May 26 and ending July 28, the city said Friday in a notice on its website.

The city said it brought in outside cybersecurity specialists and opened an investigation after the initial breach was discovered.

The investigation uncovered the threat actor’s two-month dwell time and on Aug. 22 determined some of the compromised email accounts contained protected health information. The investigation remains ongoing.

Philadelphia officials did not explain why the city waited an additional two months to disclose the attack after it discovered sensitive health data was compromised. The city said it reported the event to the U.S. Department of Health and Human Services.

“In an abundance of caution, we are conducting a comprehensive, programmatic and manual review of the potentially impacted email accounts to determine whether personal information or protected health information was potentially affected,” the city said in the notice.

The city did not respond to questions about how many individuals are impacted and why it hasn’t made any determinations about the type and amount of data compromised by the attack.