The drugmaker has contacted federal authorities in hopes they will prosecute a former employee responsible for a data breach that affected 34,000 people, according to info released by the Connecticut attorney general, The Day reports. This was one of three episodes involving Pfizer data breaches this year; the first one affected 17,000 former and current employees.

Pfizer attorney Bernard Nash, in a five-page response to questions posed earlier this month by state Attorney General Richard Blumenthal, said the drugmaker contacted “a management-level federal prosecutor” and now hopes the former employee will be prosecuted “to the fullest extent of the law.” In his Sept. 12 letter, Nash writes that Pfizer learned of the data breach after the suspect had left the drugmaker. The suspect’s new employer sent Pfizer a DVD containing the missing data that had been discovered on his new computer.

Since then, Pfizer has pursued the possibility that the suspect compromised more personal info. “Pfizer has retained an independent forensic expert to examine the computer assigned to the individual at (the suspect’s) subsequent place of employment,” Nash wrote. “Pfizer has also secured a forensic image of the laptop computer assigned to the individual during his time at Pfizer, and this computer is also being examined.”

Pfizer hasn’t revealed where the former employee had been working when he accessed the Pfizer computer system and wrongfully removed data nor would it reveal the name of his new employer or whether he was still employed there. It did say that the person had been authorized to access the info, though the removal of the data was against Pfizer policy.

It’s not clear what penalties might be sought in a possible prosecution, the paper writes. Recent penalties for intentional data breaches leading to identity theft have led to sentences up to 27 months in jail, according to the U.S. Department of Justice Web site. Joseph Laferrera, a partner in the Boston law firm Gesmer Updegrove and an expert in high-tech law, tells the paper that the former Pfizer employee could be prosecuted under the federal Computer Fraud & Abuse Act, but the penalty would vary depending on the intent of the data breach.

Nash wrote that he welcomed Blumenthal’s decision to alert criminal authorities to the incident, which occurred late last year and was reported late last month. The incident was the third reported breach at Pfizer over a three-month period, though it actually happened before the other two.

A forensic review determined that personal info of current and former Pfizer employees had been compromised, including Social Security numbers, credit card numbers, phone and fax numbers, e-mail addresses, birth dates, signatures and reasons for termination from Pfizer. Subsequent reviews have determined the breach also exposed info about certain payments or reimbursements, according to Nash.

Pfizer is currently planning to implement a companywide campaign to stress privacy awareness and to let employees know about modified business processes and enhanced technology controls to prevent future data breaches. Ray Kerins, a Pfizer spokesman, says the plan includes four main facets – governance, education and awareness; policies and procedures, and technology. Pfizer also has appointed Lisa Goldman as its new chief privacy officer and will begin implementing the campaign in the very near future, according to Pfizer.

Nash’s letter defended the company’s previous security arrangements, pointing out that organizations ranging from Yale University in New Haven to the Department of Revenue Services in Connecticut have also experienced recent data breaches. “Even the most advanced computer security may be undermined by employees sharing passwords without authorization, or employees abusing their access to the computer system and removing data, such as occurred in two recent incidents affecting Connecticut residents (and Pfizer employees),” Nash wrote.