Features
Resources
Pricing
Enterprise
About
Login
Get Started
Cloaked-icon-logo
Features
Resources
Pricing
Enterprise
About
Login
Get Started
Features
Resources
Pricing
Enterprise
About
Blog
Data Breaches

Pennsylvania Attorney General’s Office Confirms Data Breach After INC Ransom Attack

November 17, 2025
by
Abhijay Bhatnagar
deleteme

The Pennsylvania Office of the Attorney General (OAG) has confirmed that personal and medical information was stolen during the August 2025 ransomware attack carried out by the INC Ransom group. The attack caused major operational outages across the agency and resulted in the exfiltration of sensitive files before systems were encrypted.

Below is a clear breakdown of what information was exposed, what risks impacted individuals should consider, and the actions you should take now.

1. What Datapoints Were Leaked?

Following an internal review, the Pennsylvania OAG verified that the attackers accessed and stole files containing highly sensitive personal data.

Confirmed Exposed Information

Depending on the individual, the compromised files may include:

  • Full name
  • Social Security number (SSN)
  • Medical information

This combination of personal and health-related data significantly elevates the severity of the breach.

Scale of the Breach

The INC Ransom gang claims to have stolen:

  • 5.7 TB of files, including internal documents
  • Files that allegedly provided access to an FBI internal network (still unconfirmed by authorities)

How the Breach Happened

While the OAG has not released full technical details, cybersecurity researchers identified:

  • Public-facing Citrix NetScaler appliances on the OAG network
  • These systems were vulnerable to Citrix Bleed 2 (CVE-2025-5777)
  • The devices were taken offline only after the attack window had already opened

Operational Impact

When the breach was discovered on August 9th, attackers disrupted:

  • The OAG website
  • Employee email accounts
  • Landline phone systems

This attack represents one of the most disruptive incidents targeting a Pennsylvania state agency in recent years.

2. Should You Be Worried?

If your data was part of this breach, yes — you should take this incident seriously, especially because of the types of information exposed.

High Identity Theft Risk

Stolen SSNs and names allow attackers to commit:

  • Government benefits fraud
  • Tax refund fraud
  • New account fraud
  • Medical identity theft

These risks can persist for years.

Potential Medical Information Misuse

Exposed medical details increase risks of:

  • Extortion attempts
  • Targeted scams
  • Insurance fraud

Medical identity theft is often harder to detect and resolve.

Long-Term Threat Landscape

INC Ransom is a ransomware-as-a-service (RaaS) operation known for:

  • Stealing massive datasets
  • Publishing sensitive information if no ransom is paid
  • Targeting government, healthcare, retail, and education institutions

Their victim list includes Yamaha Motor Philippines, NHS Scotland, Ahold Delhaize, and Xerox Business Solutions.

Confirmed State-Level Target

This is the third major ransomware incident involving Pennsylvania public entities, showing ongoing targeting by sophisticated threat actors.

Given the sensitivity of the exposed data, individuals should consider themselves at high risk for long-term fraud and targeted attacks.

3. What Should Be Your Next Steps?

If you receive a notification from the Pennsylvania OAG — or believe your information may have been affected — take these steps immediately:

1. Monitor and Protect Your Identity

Because SSNs were exposed:

  • Place a credit freeze with all major credit bureaus
  • Enroll in identity monitoring (OAG may provide services)
  • Check for unauthorized credit inquiries
  • Monitor tax filings for early fraudulent returns

2. Watch for Medical Identity Fraud

Review:

  • Insurance statements
  • Explanation of Benefits (EOB) documents
  • Medical billing records

Report any unfamiliar activity to your insurer and providers.

3. Strengthen Your Online Security

Even if passwords weren’t compromised, follow best practices:

  • Update passwords for government, medical, and financial portals
  • Enable multi-factor authentication
  • Review security questions—especially if they link to personal history

4. Stay Alert for Targeted Scams

After breaches involving medical or government data, common scams include:

  • Fake IRS or SSA calls
  • “Medical billing correction” scams
  • Threats pretending to be law enforcement
  • Phishing emails claiming to be from the OAG or FBI

Do not click links or share personal information unless you verify the requester.

5. Document Everything

If fraud occurs:

  • Keep email logs
  • Save billing statements
  • Collect evidence for insurance disputes or identity theft claims

Having documentation helps when working with law enforcement or credit agencies.

Cloaked FAQs Accordion

Frequently Asked Questions

First, change your passwords—especially if you've reused them across sites. Then enable two-factor authentication (2FA) on all key accounts. Review your account and credit activity regularly for any unusual behavior. If suspicious actions surface, consider freezing your credit and alerting your bank. To proactively reduce exposure in the future, tools like Cloaked can mask your personal information before breaches happen.

Cloaked provides you with disposable emails, phone numbers, and payment details, making it harder for bad actors to access your real identity. These tools help you safely sign up for services, communicate, and shop online without putting your core identity at risk.

Commonly targeted data includes full names, email addresses, phone numbers, birthdates, physical addresses, login credentials, and payment info. Tools like Cloaked help shield this information by providing secure, masked alternatives.

Always be skeptical. Malicious links are one of the most common ways hackers infect devices or steal data. Avoid clicking unless you can verify the source. Services like Cloaked can add layers of security so your real contact info isn’t exposed even if you make a mistake.

Using the same contact info across platforms makes it easy for attackers to build a full profile of you. If one platform gets breached, all your accounts can be at risk. That’s why Cloaked allows you to use different, secure contact methods for each service.

Effective date

More in 

Data Breaches

View all

Could You Be Affected by Die Linke’s Ransomware Attack? What You Need to Know and Do Now

Data Breaches
by
Abhijay Bhatnagar

Were You Affected by the Hims & Hers Data Breach? Here’s What Was Exposed—And What You Should Do Now

Data Breaches
by
Abhijay Bhatnagar

Are Your Favorite Mobile Apps from China Putting Your Privacy at Risk?

Data Breaches
by
Abhijay Bhatnagar
Product
Pricing
Features
Scan
Security
Company
Team
Blog
Opt out guides
Affiliates
Contact
Careers
Changelog
Download
App Store
Play Store
Extension
Whitepaper
Connect
Instagram
TikTok
YouTube
Facebook
LinkedIn
Legal
Privacy Policy
Terms of Service
Prohibited Use Policy
Cloaked Pay Agreements
2026 Cloaked. All rights reserved.
Currently available in 🇺🇸 and 🇨🇦. Please email [email protected] to opt out of the data exposure scan. At Cloaked, we believe the best way to protect your personal information is to keep it private before it ever gets out. That’s why we help you remove your data from people-search sites that expose your home address, phone number, SSN, and other personal details. And to keep your info private going forward, Cloaked lets you create unique, secure emails and phone numbers with one click - so you sign up for new experiences without giving away your real info. With Cloaked, your privacy isn’t a setting - it’s the default. Take back control of your personal data with thousands of Cloaked users.
*Disclaimer: You agree not to use any aspect of the Cloaked Services for FCRA purposes.