A May data breach at San Francisco’s Institute on Aging, a nonprofit that provides home care and other support services for seniors in the Bay Area, may have compromised the personal information of nearly 4,000 clients and employees.

On May 28, an “unauthorized individual” may have accessed email accounts of the institute’s employees, gaining unauthorized access to the names, addresses, Social Security numbers, emails, phone numbers, dates of birth, financial records and health information — including diagnoses, treatment and medical payment information — of employees and clients, according to a letter sent by the institute’s attorney to the California Department of Justice.

The incident was reported to the California attorney general’s office, which is required by state law if a breach affects California residents, and to the U.S. Department of Health and Human Services Office of Civil Rights on July 20. The office of civil rights investigates breaches of protected health information that affect at least 500 people.

The institute immediately secured its systems and began an investigation led by data security experts, according to the letter.

“Institute on Aging also took additional measures to secure its systems and client and employee information to prevent similar incidents from occurring in the future,” the letter said.

The 3,907 individuals affected by the breach were notified on July 20. They are eligible to receive one year of free credit and identity monitoring services through AllClear ID, paid for by the Institute on Aging.

Those affected by the incident can direct questions to the AllClear ID assistance line at 855-682-4175.

A spokeswoman for the institute said there is no evidence that suggests any personal information has been used improperly.

“We wanted to do everything we could to protect those who were impacted so we went above and beyond,” said Jacqueline Murray, vice president of marketing and communications at the Institute of Aging. “There’s no evidence of harm, but we’re being overly cautious.”

Catherine Ho is a San Francisco Chronicle staff writer. Email: cho@sfchronicle.com Twitter: @Cat_Ho

©2018 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.