No customer data was affected. The data was held by the company's pension department.
The drive contained images of microfilm files, which included names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information.
Some health insurance information may have also been included - mostly enrollment forms, but also details about coverage, treatment, and other administrative information.
The data spans a period from 1960 to 1995.
AMR also believes some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to 1995.
The company has sent letters to the people that were impacted by the breach. AMR is offering one year of free credit monitoring for those affected.
It has already stepped up protective measures at its headquarters, including increasing security and testing the vulnerability of its computers.
AMR said it's still investigating the incident.