Among the data stolen were names, addresses, Social Security numbers, driver’s license numbers, phone numbers, dates of birth, credit card numbers and security codes, bank information, medical history information, and health insurance information.

Three months earlier, the hospital’s network server had been breached in a ransomware attack. And while the hospital had been quick to stop the attack and secure its computer systems, it was not before cybercriminals had stolen sensitive personal information belonging to more than 57,000 patients.

Last month, Sturdy Memorial Hospital in Attleboro wrote letters to thousands of patients disclosing that it had recently paid a ransom to protect a large store of patients’ personal information.

Sturdy revealed the essence of what happened in a statement on its website, in its letter to affected individuals, and in legally required disclosures to government regulators:

“In exchange for a ransom payment, we obtained assurances that the information acquired [by the cybercriminals] would not be further distributed and that it had been destroyed.”

The hospital declined to answer detailed questions about the attack, including whether it has any proof the information was destroyed by the hackers.

Ransomware attacks have been much in the news lately, including one on June 2 on the Steamship Authority that blocked online bookings for about a week, caused delays, and affected other operations.

Two other victims, JBS, the world’s largest meat processor, and Colonial Pipeline, which transports nearly half of the East Coast’s gas supply, recently paid ransoms after attacks.

Here’s what consumers should know about the risk to personal information in cyberattacks:

Q. Did Sturdy do the right thing by paying the ransom?

A. The FBI has warned victims that paying a ransom could encourage further malicious activity. Sturdy has given no indication that it paid a ransom to have its own computer systems unencrypted or unlocked, as was the case in the JBS and Colonial Pipeline ransomware cases.

If Sturdy paid the ransom for the sole purpose of protecting patients from identity theft, as opposed to rescuing one of its own systems, that’s laudable.

Sturdy was under no legal, contractual, or regulatory obligation to pay the ransom on behalf of the affected individuals, according to half a dozen cybersecurity specialists interviewed. Still, given that the data were in its custody when the breach occurred, Sturdy may have felt a moral obligation to pay the ransom.

Q. How damaging would it be to release personal information?

A. Cybercriminals exploit personal information obtained online to steal identities and open loan or credit card accounts in those identities. Identity theft also allows criminals to file bogus claims for unemployment benefits, which has been rampant in Massachusetts and other states since the pandemic hit. Identity theft is rapidly increasing in the United States, with almost 1.4 million cases (not counting unemployment cases) reported last year to the Federal Trade Commission, double the number reported the previous year.

Q. Did payment of the ransom remove the threat of identity theft?

A. Probably not, or at least not entirely. If Sturdy got some kind of guarantee from the cybercriminals that they destroyed the stolen personal information, as they promised to do, it is not saying so.

“For security reasons, Sturdy is not disclosing any technical information regarding the incident and/or its investigation,” a hospital spokeswoman said in an e-mail to me.

I learned about the Sturdy ransomware attack from a onetime patient who received the letter. She is computer savvy, having worked in and around Internet technology for decades. She said once your Social Security number is in cyberspace you can never feel confident it won’t be misused. She said paying the ransom seemed like closing the barn door after the horse had already bolted.

Q. Is Sturdy at fault?

A. Sturdy is a victim. How cybercriminals arrived at a small community hospital near the Massachusetts-Rhode Island state line, I can’t imagine. But cybercriminals obviously do not restrict themselves to large targets. The City of Lawrence and Haverhill’s public schools, for example, recently came under separate attacks.

Still, the fact that the hackers penetrated Sturdy’s defenses raises questions of preparedness. Sturdy has said that it’s adding additional “safeguards and technical security measures to further protect and monitor our systems.”

Q. Has there been an increase in ransomware attacks locally?

A. It’s hard to say, because the disclosures required by federal and state regulators do not differentiate between ransomware and other types of breaches. But the disclosures do show an increase in the overall number of breaches in Massachusetts.

Last year, more than 2,100 breaches were reported to the state Office of Consumer Affairs, about a 15 percent increase compared to the previous year. And the impact has been far greater: More than 1 million Massachusetts residents were affected last year, a 70 percent increase over the the previous year.

Q. What more is Sturdy doing on behalf of patients?

A. Sturdy is offering two years of free credit monitoring and “identity protection support” by Experian, one of the big credit bureaus. (That’s $240 retail value.)

Businesses and nonprofits in Massachusetts are legally required to mitigate, as best they can, the damage caused by data breaches involving personal information. Massachusetts, a national leader in data protection regulation, is one of a handful of states that mandate free credit monitoring.

Q. Are companies and nonprofits required to protect consumer data?

A. Yes, under state regulations adopted more than a decade ago, they must assess and remediate risk, and adopt a written information security program for systems that contain personal information.

Q. What should consumers do if their data are involved in a breach?

A. If you notice an unauthorized purchase on your credit card, call your credit card company and tell them to freeze your account, while you change your login, password, and PIN.

It’s also a good idea to get and review the free credit report you are entitled to from each of the credit bureaus once a year.

If you have concerns, you can obtain a one-year “initial fraud” alert by contacting one of the three major credit bureaus (Experian, TransUnion, and Equifax). That company must then alert the other two. It requires lenders to verify your identity before issuing new credit in your name.

An extended fraud alert is also available. It remains in effect for seven years unless you have it removed sooner.

You can also opt for a credit freeze, which is more protective than an alert. It prohibits potential new creditors from accessing your credit history at all unless you first lift the freeze.

Got a problem? Send your consumer issue to sean.murphy@globe.com. Follow him on Twitter @spmurphyboston.