Johns Hopkins University and Health System are investigating a cyberattack that may have exposed personal information of students and patients.

Officials sent a letter to the community Thursday stating that the organization is looking into what data has been impacted and what steps to take forward.

“Johns Hopkins takes the privacy and security of our community members extremely seriously,” the officials wrote in the letter. “Our cybersecurity team is working closely with data security experts and law enforcement to determine what information was involved. This investigation is ongoing, but our initial evaluation shows the attack may have impacted the information of Johns Hopkins employees, students, and/or patients.”

Electronic medical records were not impacted by the breach, but personal information that could lead to identity theft may have been compromised.

The organization says it will reach out directly and individually to people who have been affected by the breach and will provide two years of free credit monitoring.

Johns Hopkins says it learned on May 31 that it was a victim of a vulnerability in a widely-used file transfer software called MOVEit.

It’s suspected that Russian-linked ransomware hackers are behind the breach. The vulnerability is impacting multiple other large organizations like the Shell Corporation, U.S. financial institutions like 1st Source and Putnam Investments and other schools like the University System of Georgia.

Johns Hopkins says it is working to secure its networks.

In the meantime, the organization is asking people who think they may have been exposed to monitor activity on their accounts, consider freezing their credit and watch out for suspicious emails.