ThinkstockPhotos-474578987The largest union for government employees says the massive cyberattack on the government’s Office of Personnel Management was much worse than the Obama administration previously said it was, and every federal employee’s personally identifiable information has been compromised, the Associated Press reports. The OPM data includes information on most civilian federal employees, but not members of Congress or their staffs.

In a letter sent to OPM, J. David Cox, president of the American Federation of Government Employees, said the union believes information on all those federal employees, federal retirees and up to 1 million former federal employees was stolen, including their Social Security numbers, which Cox said the union believes were unencrypted. The union doesn’t have direct access to the investigation, the AP reports, but Cox said the information they have received from OPM is “sketchy” and downplays the seriousness of the attack. The government hasn’t responded to the union’s claims of encryption failures and the breach’s scope.

“[V]ery little substantive information has been shared with us, despite the fact that we represent more than 670,000 federal employees in departments and agencies throughout the executive branch,” Cox wrote in the letter to OPM, according to the AP.

Identity theft has long been a problem, but issues like data breaches and a lack of online privacy have brought identity theft concerns to the top of people’s minds. It’s a pretty broad crime, encompassing several things a person can do if they get access to your PII, or personally identifiable information.

One of the worst things that can happen in a privacy breach is exposure of Social Security numbers. They’re wrapped up in most aspects of Americans’ lives — employment, medical histories, taxes, education, bank accounts and so on. The consequences of having your Social Security number end up in someone else’s hands aren’t pretty — most of them are downright terrifying. Here are some of the things they may be able to do:

1. Open Financial Accounts

Your Social Security number is the most important piece of personal information a bank needs when extending you credit or opening an account. With that number, the thief can get credit cards or loans, and when it comes time to repay them, they won’t, damaging your credit in the process. The missed payments are tied to your Social Security number, meaning they’ll end up on your credit report.

In some ways, that’s one of the better outcomes of identity theft — you can use your credit scores and credit reports to spot fraud and put an end to it. Unfortunately, it could take a while for your credit to recover from the damage.

2. Get Medical Care

Health insurance provider Anthem was hit by a data breach recently, and people were first concerned about exposure of medical records. Anthem says medical information wasn’t compromised — Social Security numbers were, and that poses a greater threat to victims’ health.

Someone with your Social Security number could undergo medical treatment, effectively tainting your medical records. Inaccurate medical records could have deadly consequences, if you receive treatment based on a false history.

3. Steal Your Benefits

A thief could also use your Social Security number to file for unemployment or Social Security benefits, depleting the assistance you may need to access later on.

Thieves can operate under your identity for years without discovery, and some of these crimes are very difficult to detect. One of the best things you can do is regularly check your credit reports (you can also get your free credit report summary from Credit.com, updated every month), reviewing them thoroughly for unauthorized accounts or public records not related to you. These red flags could indicate clerical errors or identity theft. Either way, you want to watch out for it and act as soon as you see something suspicious.

While details on the OPM breach remain unclear, those who may have been affected should prioritize monitoring their credit — it’s important to remain alert, even if you’re not sure your information has been compromised.

This article originally appeared on Credit.com and was written by Christine DiGangi.