Michigan’s Attorney General is asking three companies to turn over information about a major computer data breach.

New York-based American Medical Collection Agency (AMCA) provides medical debt collection services to health providers and health plans.

Hackers apparently accessed its files starting last August, and continued to have access until March. They may have had access to patient credit card numbers, bank account information, medical information and other personal information, including social security numbers.

The records of at least 12 million patients nationwide may have been breached. It’s unknown how many Michiganders were affected.

Michigan Attorney General Dana Nessel is asking for information from the collection agency, as well as Quest Diagnostics and Optum360, two companies that have confirmed their records were affected by the breach.

“This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” Nessel says in a written statement. “We continue to rely on media reports that alert us to these terrible situations because – unlike most other states – we have no law on the books that requires that our office be notified when a breach occurs.”

The Attorney General’s office recommends people who believe they may have been affected by this breach should immediately take the following steps to protect their information:

Find out what information was compromised and act accordingly.

Pull your free credit report at annualcreditreport.com or by calling 877-322-8228.

Put a fraud alert on your credit file. The Federal Trade Commission provides a checklist for this.

Consider a security freeze on your credit file.

Take advantage of any free services being offered as a result of the breach.

Use two-factor authentication on your online accounts whenever it’s available.

According to Quest Diagnostics officials, they were informed of the breach by AMCA on May 14. The company says it has not yet received detailed or complete information from AMCA, including the names and addresses of affected patients.

Quest Diagnostics released a statement on the breach that reads in part: