When we think of major-name data breaches that affect millions of consumers, we probably think of teams of elite hackers infiltrating a network by exploiting a vulnerability in the technology. But sometimes, a data breach is the work of a good old-fashioned crook and not the result of sophisticated cybercrime skills.

When California-based managed care provider Molina Healthcare first learned a breach had occurred, the next step in the investigation was to uncover the source of the vulnerability. The breach was uncovered and reported to Molina in July by CVS, the pharmacy that oversees the provider’s over-the-counter (OTC) medications. According to their reporting, a CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.

While that information may not seem all that sensitive, having enough information allows the perpetrator to steal patients’ identities, sell their identities, and commit other forms of fraud. The immediate assumption is that this is enough personal data to engage in medical identity theft, which occurs when someone fraudulently uses the victim’s information to receive health care, prescription drugs, or other related services. Medical identity theft is one of the fastest growing forms of the crime, with a 22% increase in 2014 and estimates that as many as 2.3 million Americans have already been victims of this crime.

The type of data breach that seems to have struck Molina Healthcare is known as an internal data breach. Internal breaches are actually broken down into two different categories: accidental and intentional. Accidental data breaches are just what they sound like; an employee might have downloaded a virus from a phishing email, or lost a laptop with sensitive, unencrypted information on it. Intentional data breaches—again, as the name implies—occur when someone purposely steals customer or co-worker data, usually with plans to later use it or sell it for identity theft.

In this particular incident, investigators have made the connection between CVS providing OTC medications and the type of information the employee gathered. While identity theft is still a major concern—as medical identity theft following a data breach has risen by 21.7% in the past year—investigators are also concerned that the information may have been collected in order to fraudulently buy OTC medications, some of which are actually key ingredients in the creation of certain illegal drugs.

Individuals who are believed to have been affected by this data breach have already received notification letters that outline the steps for setting up alerts and freezes on their credit reports. It’s vital that known victims of a data breach take proactive steps to prevent damage to their identities; in any breach event in which the affected company offers credit monitoring services, it’s important that consumers take full advantage.