Identity fraud is becoming increasingly prevalent in the United States, though the timelines and causes behind the incidents are often inconsistent. According to the 2026 Identity Fraud Study by Javelin Strategy & Research, consumers faced losses of $27.3 billion due to traditional identity fraud in 2025. In 2024, there was a notable 19% increase, with losses hitting $27.2 billion.
Reports of identity theft to the FTC surged in 2025, with the number of reports in the first nine months already surpassing the total for all of 2024. The FTC’s Consumer Sentinel data indicates that they received over 1.1 million identity theft reports in 2024 alone.
Infringement notifications are becoming almost routine, but the associated risks can linger long after the notifications are issued. The Identity Theft Resource Center (ITRC) documented a record 3,322 data breaches in 2025. An ITRC survey revealed that 80% of consumers received at least one breach notification in the past year, and among them, 88% experienced negative consequences, like attempts to take over accounts.
Why Old Breach Data Turns Into New Fraud
It often takes time for stolen personal data to be exploited. Following a significant breach, the compromised data can circulate through criminal channels in stages. This data may be sold to brokers and then resold to fraud groups, creating a comprehensive identity profile that combines information from multiple breaches.
This means that Social Security numbers stolen in, say, 2024 might not be used for fraudulent activities until 2026 or beyond. By then, any offered free credit monitoring may have already lapsed, and the breach itself may no longer be in the news.
Major Breaches That May Enable Future Identity Theft
In January 2025, UnitedHealth confirmed that nearly 190 million individuals were impacted by a significant data breach that exposed personal and health-related information—making it the largest known medical data breach in the U.S. The affected consumers received two years of free credit monitoring and identity theft protection, with a registration deadline set for August 26, 2025.
Additionally, National Public Data reported a data breach affecting up to 2.9 billion records, many of which were not verified or unique. Exposed information included Social Security numbers, addresses, and next of kin details.
In July 2024, AT&T disclosed that hackers accessed call and text message records linked to about 109 million customer accounts. The stolen data included details about calls and texts, such as contact numbers and times, but did not compromise the content of those communications.
Dealing with Stolen Personal Information
Stolen identity data can fuel various types of fraud. Some fraudulent activities may not appear on a victim’s credit report, tax documents, or insurance records for months or even years.
Synthetic ID Fraud
In this case, criminals mix real Social Security numbers with fictitious names and dates of birth. They use this forged profile to open new lines of credit, gain trust, and eventually drain accounts.
Tax Refund Fraud
Fraudsters file fake tax returns using stolen Social Security numbers, often leaving victims unaware until their legitimate tax filings are denied.
Medical Identity Theft
Criminals use stolen personal and health insurance information to submit claims for services victims never received. Many only find out when they receive unexpected bills, hit their insurance limits, or get collection notices.
New Account Fraud
This involves using stolen details to open credit cards, car loans, and utility accounts. Victims often discover the fraud only when checking their credit reports.
Account Takeover
Here, criminals apply stolen usernames and passwords to access existing accounts like email and online banking. Automated tools are often employed to test the same credentials across multiple sites.
Why a Credit Freeze Isn’t Enough
Standard advice following a breach usually includes freezing your credit and accepting free monitoring offers. While these steps help, they’re not foolproof. Free monitoring typically lasts one to two years, which often expires long before stollen data is used for fraud.
A credit freeze can limit new accounts from being opened in your name, but it won’t stop all fraud. For instance, it won’t prevent someone from using your Social Security number to file a false tax return or engage in fraudulent medical billing.
One-off dark web scans have their own shortcomings, revealing where data might appear at a specific moment but not where it could surface next. Once a Social Security number circulates in criminal networks, it can remain accessible indefinitely.
How to Protect Yourself After a Breach
If your data is compromised, consider these steps to minimize risk and detect suspicious activities sooner.
1) Freeze Your Credit
This can prevent criminals from opening new credit accounts in your name. Be sure to freeze your credit with all three major bureaus: Equifax, Experian, and TransUnion. If you need credit, you can temporarily lift the freeze.
2) Change Reused Passwords
If you share passwords across accounts, change them immediately. Hackers often exploit stolen information on various sites. Using a password manager can help you maintain strong, unique passwords for each account.
3) Enable Multi-Factor Authentication
4) Monitor Financial and Medical Accounts
Regularly review your bank statements, credit card transactions, insurance claims, and benefit statements for any unfamiliar activities. Medical identity theft is often unnoticed until a bill or collection notice comes in.
5) Check Your Credit Report
Monitor your credit report for unfamiliar accounts or inquiries. You can access it for free at AnnualCreditReport.com. If you detect anything suspicious, report it immediately and follow up with the credit bureaus.
What to Do After Free Monitoring Expires
Consider enrolling in paid identity theft protection services that offer continuous data monitoring. These services aim to reduce the time between data theft and when it causes harm.
Look for a service that monitors all three major credit bureaus, scans the dark web, and alerts you to suspicious activities regarding your personal information. Some also keep an eye on data broker sites and records related to home ownership and financial accounts.
Key Takeaways
Once the initial media coverage fades, and free monitoring comes to an end, notifications of breaches can seem like yesterday’s issue. However, compromised personal data doesn’t expire. Criminals can retain it, merge it with other leaked data, and exploit it long after the initial breach has been forgotten. That’s why sustained privacy protection is crucial. Implementing a credit freeze, strong passwords, multi-factor authentication, and vigilant account monitoring are all essential steps. Identity fraud is often a long game, and early detection can significantly mitigate potential damage.
