It took the drugmaker only a month and a half to notify its 17,000 current and former employees of the now-famous data breach this past spring, according to an eight-page letter from the company that state Attorney General Richard Blumenthal released today. You can read the letter here.

An attorney for Pfizer, Bernard Nash, write in the July 11 letter, that the drugmaker learned about the data breach April 18 when an independent consultant told the company about finding sensitive data on a peer-to-peer network, but Pfizer didn’t start notifying anyone until June 1, and the mailing to employees wasn’t completed until June 6.

There was no explanation as to why Pfizer waited six weeks, however. An internal investigation found the breach occurred on March 26, when the spouse of a Pfizer employee used a company laptop to install unauthorized software and access a file-sharing network, but no criminal activity was apparenty involved.

Pfizer, meanwhile, also acknowledged that Experian, which Pfizer tapped to provide credit checks for a year, refers to $50,000 in identify theft insurance, but in fact, only $25,000 is available.

“Pfizer takes very seriously its responsibility to secure its data and has many policies, procedures and protections to safeguard personal information,” Nash wrote in his letter. “Unfortunately, those safeguards were circumvented when an employee (against company policy) inappropriately divulged the password for a Pfizer laptop to the employee’s spouse.”

In its defense, Pfizer insisted it’s upgraded procedures. The “post-incident plan” includes additional training about company policies and procedures, modifications to its data-collection methods that drop the use of Social Security numbers, unspecified “additional controls” on Pfizer computer systems that will restrict the use of unauthorized software and the updating of educational materials and corporate policies.

One former Pfizer employee recently filed a lawsuit seeking class-action status. You can read about that here.

Thanks to The Day.