A spring 2015 data breach has resulted in one and half million residents of Indiana—approximately one-fourth of the state’s population—having their medical and identifying information stolen by hackers.

The incident, which affected Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard, also impacted another nearly four million individuals across the country.

The information that the as-of-yet unknown hackers accessed includes patient names, Social Security numbers, lab test results, and medical records, as well as a wealth of other information. The data is believed to have been stolen from hospitals across Indiana, Ohio, and Michigan, as well as from healthcare providers and numerous radiology centers which all used MIE for data processing.

Medical systems are a high-profile target for hackers due to the incredible amount of information they gather and store on patients. That’s coupled with the fact that practically everyone uses some kind of medical provider over the course of their lifetimes, so the information is there for the taking.

While MIE’s official statement warns individuals to immediately begin monitoring their credit reports and to set up alerts and freezes on their credit, affected individuals also need to remember to file their tax returns as early as possible next January so that they can beat an identity thief to the punch.

There is one other thing all consumers can do to minimize this kind of threat, and that’s to be mindful of how much information they share about themselves. This doesn’t only go for medical offices, which are widely known for requesting patients’ SSNs, but even school enrollment formsday camp forms, and volunteer applications to teach Sunday School are known for putting a blank for you to provide the number. Too often, the public sees the blank and fills it out without asking who needs it, why they need it, and how they plan to keep it from falling into the wrong hands.

It can be tough to keep from giving out your SSN, as the law doesn’t really offer protection for consumers who don’t wish to provide it. It does mean that your number should only be used for its originally intended purposes of tax identification, but it also means that a doctor’s office, for example, does not face repercussions for refusing you treatment for non-life threatening situations if you don’t provide it. Currently, several states are working on enacting legislation to protect consumers and their private, sensitive data by limiting who can request the SSN, but until that time, it is the individual’s responsibility to give it out wisely.