Do you feel that you get an awful lot of data breach notices in the mail? You’re not alone.
In a 2025 survey of 1,040 people by the Identity Theft Resource Center, a nonprofit that tracks breaches and advises victims, 80 percent said they had received at least one breach notice in the previous 12 months. About 40 percent said they had received three to five separate notices.
The findings ring true to me. I save breach notices in a folder, and over the past few years my husband and I have received eight. They include one from Columbia University in January; one each from Change Healthcare and Ticketmaster in 2024; and letters from a health clinic and utility companies in 2023. Each letter offered some sort of free credit monitoring service.
The notices are mandated by well-intentioned laws requiring that affected consumers be notified of breaches. With more than 3,300 incidents last year, however, breach letters are piling up.
Recently, notices of a breach that occurred more than a year ago, affecting millions of people, have been landing in Americans’ mailboxes. The letters describe a “cyber incident” at a unit of Conduent, a company based in New Jersey that provides business services like billing and payment management to health insurers and government agencies in multiple states.
Data taken may have included names and Social Security numbers as well as medical and health insurance information, although details vary by individual, according to a notice on Conduent’s website. Such information can be used in identity theft to create fraudulent financial or medical accounts in your name.
Federal and state data-breach laws generally require companies to notify victims promptly of such incidents. “Because this analysis is detailed and involves complex files,” a Conduent spokesman said in an email, “the notification process has taken time to complete.”
What should I do if I get a data breach letter?
Data incidents have become so common that you may succumb to “breach fatigue” and be tempted to throw away notification letters. That’s especially true if the company is a vendor that you may not recognize, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group focused on data protection. “People look at it, they say, ‘Oh, this isn’t a hospital,’” she said, “so they just trash it.”
But don’t ignore the letters, Ms. Dixon said. “See what services they are offering, and take them up on it,” she said. Some offer free credit monitoring for a year or two to help you spot fraudulent activity. At least one version of the Conduent letter offered credit monitoring plus identity theft “restoration” services.
How can I verify the letter is legitimate?
About a third of those responding to the Identity Theft Resource Center’s survey said they ignored a breach letter or took no action after getting one, often because they thought it was a scam.
If you’re skeptical that the letter itself may be some sort of “phishing” trick, go to the company’s website to confirm that it’s legitimate, the center recommends. You can also check on federal and state breach websites to see if the incident has been formally reported. Visit your state consumer protection agency’s website, or on the federal health care data breach investigations site.
How can I protect my personal information?
“There’s not a lot we can do, as an individual, to prevent a data breach,” said James Lee, president of the theft resource center (and a recipient, he said, of a Conduent breach notice).
But you can take steps to prevent or minimize the potential damage. Don’t wait for a data breach notice, he advised. “Get ahead of it now.”
The first step, he said, is to freeze your credit file at each of the major credit bureaus — Equifax, Experian and TransUnion. That means no one can use your personal information to open new credit cards or take out loans in your name.
Credit monitoring can help remind you to keep an eye on things, but it alerts you after something has happened, Mr. Lee said. So freezing your credit files is more protective.
How does a credit freeze work?
You can set up the freeze online or through an app by creating an account. Or call the credit bureau or apply by mail if you prefer. It’s free to do so. You’ll need to temporarily “thaw” the files if you want to apply for credit. If you request the thaw online or by phone, the bureau must lift it within one hour.
Should I take special steps to protect my health data?
Yes. Always check your medical bills and your insurer’s report known as the “explanation of benefits.” If you see charges for treatments or prescriptions you don’t recognize, contact your provider to report them and, if necessary, challenge the charges, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.
Ms. Dixon recommended obtaining a paper copy — not a digital version — of your important medical records, either by going online to your doctor or hospital’s portal and printing them out or by requesting paper copies from your provider. That’s because someone could change not just the billing information on your accounts but also the medical record to match the billing information to fraudulently obtain treatment or prescriptions.
Having a hard copy of the original record can help prove that the charge or diagnosis is bogus, Ms. Dixon said. She updates her records with new printouts every year or two, she said.
You don’t need your entire medical record on paper, she said, which could be voluminous. Focus instead on getting paper documents related to significant surgeries or health episodes or chronic conditions.
What other steps can I take?
If you want to be extra diligent, you might consider adding freezes at other specialty data bureaus, Mr. Lee said. For instance, you could place a security freeze on your information at ChexSystems, a provider used by banks to review applications for new accounts. You’ll be given a special pin to remove the freeze, if needed. You can also freeze your file at the National Consumer Telecom and Utilities Exchange to prevent someone from using your name to open a telecommunications account or utility service.
Check your overall digital hygiene.
Basic online smarts can help keep your personal information safe, Mr. Lee said. Choosing lengthy passwords offers more protection, he said, and saving them in a password manager on your phone or through a paid service can help you keep track of them. Use “passkeys” when offered, he advised. More online services are starting to offer them, because they can be easier to manage and safer than traditional passwords.
Using multifactor authentication — which requires an extra step, like a code sent to your phone, to log onto sensitive accounts — is also wise, he said.
The post What to Do if You’re a Data Breach Victim (and You Probably Are) appeared first on New York Times.
