Documents related to COVID-19 vaccines - stemming from last year's compromise of the European Medicines Agency (EMA) - have been leaked on the internet.

In an update on Tuesday - the EMA's fourth since news of the cyberattack broke in December - it confirmed that "some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet."

The EMA is the unit of the European Union in charge of overseeing medicine; it also regulates vaccines across the EU.

The EMA was fairly mum about the attack at first, claiming it was the victim of a cyberattack and that it had launched an investigation. It didn't elaborate on what may have been accessed, who may have accessed it and when exactly the attack happened. That day, perhaps in an effort to reiterate that their own systems weren't breached as part of the incident, Pfizer and BioNTech disclosed jointly that some of their documents on the vaccine candidate, BNT162b2 - data that had been stored on an EMA server - were involved in the attack.

It wasn’t known until this week that the data had actually been exfiltrated as part of the cyberattack.

In addition to documents related to COVID-19 medicines and vaccines, EMA confirmed that personal data may have been also been subject to unauthorized access during the breach. While not confirmed, some reports crediting cybersecurity experts claim the leaked data includes email screenshots, EMA peer review data, like comments and several PDF files, Word documents, and PowerPoint presentations, all which could contain personal data.

It's unclear exactly what the attackers are looking to prove by releasing the data online now. The hack didn't affect the EMA's regulatory network, nor did it affect any timelines around the evaluation and approval of the vaccines. According to the EMA, the attack took place after the companies had already submitted their vaccines to the EMA for approval in EU member states.

Vaccine data has been an appealing target for cybercriminals throughout the pandemic.

State sponsored attackers, believed to be working on behalf of Russian intelligence services and the People's Republic of China, have been carrying out spearphishing attacks, along with other high-profile exploits on organizations involved in the research and development of a vaccine all along.

The UK’s National Cyber Security Centre pinned some hacking attempts in July on APT29, also known as Cozy Bear, while the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in May that China-based attackers were eyeing health care, pharmaceutical, and research sectors working on COVID-19 response.

One of the latest COVID-related attacks involved a phishing campaign that targeted the cold chain - companies and organizations working to keep the vaccines refrigerated in transit.