Pennsylvania attorney general says SSNs stolen during August ransomware attack

A ransomware attack on the Pennsylvania Office of the Attorney General exposed the Social Security numbers and medical information of an undisclosed number of people. 

In a statement on Monday, the office confirmed that data was stolen during the attack, which caused chaos this summer for the state’s legal system, taking down the website, phone lines and email systems used by most employees.

“Based on the OAG's review of the data involved, for some individuals the information involved may have included name, Social Security number, and/or medical information,” Attorney General Dave Sunday said. 

“On November 14, 2025 we provided notice, via email, of this incident to individuals for whom we had been provided a valid email address. We have also notified the Federal Bureau of Investigation of the incident and are assisting their investigation.”

The statement confirms that the ransomware attack was discovered on August 9 and that a subsequent investigation confirmed that files were stolen from the office’s systems during the incident. 

A toll free number was created for victims with questions about the incident. 

The office did not respond to requests for comment about how many people were impacted. 

While the office’s statement claims it “has no evidence of the misuse, or attempted misuse, of any information that was potentially involved,” the attack was claimed by the INC ransomware gang in September. It is unclear whether the group published the stolen data.

Sunday previously confirmed that hackers encrypted files and systems used by his office but said officials did not pay the ransom issued.

The attack threw a wrench into Pennsylvania’s legal system for nearly a month, forcing courts to provide time extensions for certain criminal and civil cases. The office’s 1,200 staff members were forced to use “alternate channels and methods” to conduct work throughout August. 

“This situation has certainly tested OAG staff and prompted some modifications to our typical routines — however, we are committed to our duty and mission to protect and represent Pennsylvanians, and are confident that mission is being fulfilled,” Sunday said at the time. 

Researchers previously attributed the attack to internet-exposed instances of Citrix NetScaler that were vulnerable to CVE-2025-5777, known colloquially as Citrix Bleed 2, and several other related bugs.

Cybersecurity expert Kevin Beaumont shared evidence of twointernet-exposed Citrix NetScaler devices tied to the Office of the Attorney General that were later removed from the internet.