1. Home
  2. States
  3. Pennsylvania


Data breaches refer to intentional events that result in confidential, private, or protected information being exposed to an individual who does not have the authorization to access it. These criminals may target individuals or institutions to steal personal or financial information to advance their interests. Pennsylvania is no stranger to this, considering it recently led the nation in ransomware losses. In 2020, more than $5,000,000 was stolen from citizens and groups within the state. Since then, legal steps have been taken, including a breach of the Personal Information Act, amending the earlier 2005 version.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Identity Theft
Imposter Scams
Telephone and Mobile Services
Online Shopping and Negative Reviews
Credit Bureaus, Iformation Furnishers and Report Users
Banks and Lenders
Prizes, Sweepstakes and Lotteries
Debt Collection
Auto Related
Internet Services

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Bank Fraud
Loan or Lease Fraud
Phone or Utilities Fraud
Employment or Tax-Related Fraud
Government Documents or Benefits Fraud

Pennsylvania's Biggest Data Breaches


Warren General Hospital

Warren General Hospital issued a notice of a breach in November 2023 after detecting suspicious activity on its network. The information affected via the breach included financial account information, payment card data, health insurance claims, and Social Security numbers. Warren General indicated its ongoing commitment to information security and the investigation to assess its security network to determine the full scale of the attack. Current estimates show that 169,000 patients were affected by the breach.


Pennsylvania Water System Hack

In 2023, Aliquippa Municipal Water Authority in Pittsburg experienced a data breach when Iranian cybercriminals attacked one of the booster stations. As a result, the automated system was shut down immediately, and operations resumed manually. It did not pose a significant risk to the water supply or the quality of drinking water. Operations also remained largely unaffected. Congressman Chris Deluzio, though, urged aggressive prosecution of the attackers. He also sent a letter to the United States Attorney General, calling for an investigation of the cyber attack, saying that if it could happen in western Pennsylvania, it could happen anywhere.


Connexin Software, Inc.

In September 2022, Connexin determined that an unauthorized party on their network was accessing patient data. Unfortunately, this data breach involved the exfiltration of more than 2.2 million pediatric records. The data from the breach included Social Security numbers, patient demographics like names, addresses or dates of birth, and medical treatment. Individuals whom the event may have impacted were also notified via mail. However, the company issued a disclaimer that it may not have been able to reach all affected, especially if their contact information was insufficient or outdated. The organization has since been sued in a class action suit by Green on behalf of the plaintiff, Amiyah Green. The suit, filed in the U.S. District Court of the Eastern District of Pennsylvania, indicated that Connexin was required to implement safeguards to ensure the privacy of protected health information.


Keystone Health

Keystone Health discovered a disruption of its systems caused by a hacking incident on August 19th, 2022. According to the healthcare provider, its team immediately investigated the attack to determine if any patient data was compromised. Unfortunately, preliminary assessments showed the breach affected 235,000 patients. In response, Whitehead filed a class action complaint against the institution due to the ascertainable losses. The case is still ongoing at present.


Equifax Data Breach

Equifax, a credit institution, was attacked following a cybersecurity breach affecting approximately 5.5 million Pennsylvania residents. In 2017, the information accessed involved names, Social Security data, addresses, birth dates, and driver's license numbers. The criminals also accessed the credit card information of an estimated 209,000 consumers. In response, Attorney General Josh Shapiro's Bureau of Consumer Protection opened an investigation into the incident. This included the company's delay in notifying affected individuals.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Any company that is operating within Pennsylvania is required to remain attentive to current legal statutes. All businesses within the state must provide notice of any system breach to people whose mailing address, as reflected, is stored or maintained by the organization. It is also where a person's unencrypted personal information is believed to have been accessed by an unauthorized party.

Though there is no applicable notification requirement to the attorney general, according to section 2303 of 73 P.A. Statutes, short notification deadlines apply to contractors, state agencies, and county authorities. When an entity issues notification under the act to more than 1,000 people at one time, the business also has to notify nationwide reporting agencies without delay.

Businesses mandate personal information maintains that it is defined as the following:

  1. Social Security Numbers
  2. Driver's License Numbers
  3. Credit Card Numbers and Debit Card Numbers
  4. Medical Information
  5. Health Insurance Information
  6. Email Addresses

Public information does not necessarily include publicly available information that is legally made available to the public from local, state, and federal records.

Notices have to be provided using any of the following methods. This is a written notice to the last known home address of the person. It can also be a telephone notice if the consumer is expected to receive it and the notice has been issued conspicuously. It has to describe the incident unambiguously. An email notice may also be required if a prior business relationship exists and the institution has a valid email address.

There are exceptions, however. Should an entity maintain its notifications as part of an information policy for the treatment of personal information and is consistent with the notification requirements, it will be in compliance with notification requirements.


Pennsylvania statutes 73-2301 refer to the Breach of Personal Information Notification Act.

  • Implemented in 2006, the data breach law requires that Pennsylvania businesses maintain or store information and notify affected people of data breaches that result in the unauthorized acquisition of personal information.
  • The law also mandates that notices of data breaches are made without unreasonable delay.
  • If more than 1000 consumers are affected, consumer reporting agencies should also be notified.
  • Breached third parties are required to notify data owners or licensees.
  • According to Act of Nov. 3, 2022, P.L. 2139, No. 151, which is an amendment to the 2005 statute, if a statute determines it is the subject of a breach of security affecting personal information maintained by the state, then the state has to provide a notice of the security breach within seven business days following the determination of the hack.
  • Section 5.1 of the same statute mandates that an entity that maintains or stores computerized data on behalf of the commonwealth that entails personal information shall create a policy to govern the proper storage of personal data.