The Pennsylvania Office of the Attorney General (OAG) has confirmed that personal and medical information was stolen during the August 2025 ransomware attack carried out by the INC Ransom group. The attack caused major operational outages across the agency and resulted in the exfiltration of sensitive files before systems were encrypted.
Below is a clear breakdown of what information was exposed, what risks impacted individuals should consider, and the actions you should take now.
1. What Datapoints Were Leaked?
Following an internal review, the Pennsylvania OAG verified that the attackers accessed and stole files containing highly sensitive personal data.
Confirmed Exposed Information
Depending on the individual, the compromised files may include:
- Social Security number (SSN)
This combination of personal and health-related data significantly elevates the severity of the breach.
Scale of the Breach
The INC Ransom gang claims to have stolen:
- 5.7 TB of files, including internal documents
- Files that allegedly provided access to an FBI internal network (still unconfirmed by authorities)
How the Breach Happened
While the OAG has not released full technical details, cybersecurity researchers identified:
- Public-facing Citrix NetScaler appliances on the OAG network
- These systems were vulnerable to Citrix Bleed 2 (CVE-2025-5777)
- The devices were taken offline only after the attack window had already opened
Operational Impact
When the breach was discovered on August 9th, attackers disrupted:
This attack represents one of the most disruptive incidents targeting a Pennsylvania state agency in recent years.
2. Should You Be Worried?
If your data was part of this breach, yes — you should take this incident seriously, especially because of the types of information exposed.
High Identity Theft Risk
Stolen SSNs and names allow attackers to commit:
- Government benefits fraud
These risks can persist for years.
Potential Medical Information Misuse
Exposed medical details increase risks of:
Medical identity theft is often harder to detect and resolve.
Long-Term Threat Landscape
INC Ransom is a ransomware-as-a-service (RaaS) operation known for:
- Stealing massive datasets
- Publishing sensitive information if no ransom is paid
- Targeting government, healthcare, retail, and education institutions
Their victim list includes Yamaha Motor Philippines, NHS Scotland, Ahold Delhaize, and Xerox Business Solutions.
Confirmed State-Level Target
This is the third major ransomware incident involving Pennsylvania public entities, showing ongoing targeting by sophisticated threat actors.
Given the sensitivity of the exposed data, individuals should consider themselves at high risk for long-term fraud and targeted attacks.
3. What Should Be Your Next Steps?
If you receive a notification from the Pennsylvania OAG — or believe your information may have been affected — take these steps immediately:
1. Monitor and Protect Your Identity
Because SSNs were exposed:
- Place a credit freeze with all major credit bureaus
- Enroll in identity monitoring (OAG may provide services)
- Check for unauthorized credit inquiries
- Monitor tax filings for early fraudulent returns
2. Watch for Medical Identity Fraud
Review:
- Explanation of Benefits (EOB) documents
Report any unfamiliar activity to your insurer and providers.
3. Strengthen Your Online Security
Even if passwords weren’t compromised, follow best practices:
- Update passwords for government, medical, and financial portals
- Enable multi-factor authentication
- Review security questions—especially if they link to personal history
4. Stay Alert for Targeted Scams
After breaches involving medical or government data, common scams include:
- “Medical billing correction” scams
- Threats pretending to be law enforcement
- Phishing emails claiming to be from the OAG or FBI
Do not click links or share personal information unless you verify the requester.
5. Document Everything
If fraud occurs:
- Collect evidence for insurance disputes or identity theft claims
Having documentation helps when working with law enforcement or credit agencies.
Cloaked FAQs Accordion
Frequently Asked Questions
First, change your passwords—especially if you've reused them across sites. Then enable two-factor authentication (2FA) on all key accounts. Review your account and credit activity regularly for any unusual behavior. If suspicious actions surface, consider freezing your credit and alerting your bank. To proactively reduce exposure in the future, tools like Cloaked can mask your personal information before breaches happen.
Cloaked provides you with disposable emails, phone numbers, and payment details, making it harder for bad actors to access your real identity. These tools help you safely sign up for services, communicate, and shop online without putting your core identity at risk.
Commonly targeted data includes full names, email addresses, phone numbers, birthdates, physical addresses, login credentials, and payment info. Tools like Cloaked help shield this information by providing secure, masked alternatives.
Always be skeptical. Malicious links are one of the most common ways hackers infect devices or steal data. Avoid clicking unless you can verify the source. Services like Cloaked can add layers of security so your real contact info isn’t exposed even if you make a mistake.
Using the same contact info across platforms makes it easy for attackers to build a full profile of you. If one platform gets breached, all your accounts can be at risk. That’s why Cloaked allows you to use different, secure contact methods for each service.
