A third party accessed a computer server that had a database with participant account details on February 24, according to a filing.
A vendor overseeing the server detected the breach on March 21 and found no indications that any data was taken, according to the filing.