And personal info, including medical records from 1 in 3 Americans, was swiped in the massive Change Healthcare data breach made public in 2024.

The resulting losses are staggering. Criminals stole nearly $23 billion from consumers last year in traditional identity fraud, often info filched in part from data breaches, according to a report cosponsored by AARP and Javelin Strategy & Research. “Your data is valuable. Bad guys find ways to make money with it,” says James E. Lee, the ITRC’s chief operating officer.

More than 80 percent of Americans have received at least one data-breach notification in the past year, Lee says. But more than half of them don’t know what to do next. “People are afraid,” says Amy Nofziger, director of fraud victim support for the AARP Fraud Watch Network. “They’re worried about what it means when you get a notification. They’re unsure about what steps to take. We want people to feel empowered and not to panic.”

Recent callers to AARP’s Fraud Watch Network Helpline have plenty of questions about data breaches, Nofziger says. They include Joyce, a Michigan resident, who’s frightened after getting a data-breach letter in the mail. Eugene, from Montana, got a similar letter regarding the Change Healthcare breach. It exposed his Social Security and driver’s license numbers. Rebecca, from Maryland, received documents to sign after a health care system data breach but doesn’t know if it’s safe to share her Social Security number.

Data breaches target customer information kept online by companies, organizations, health care systems, schools and government agencies. Banks, drug store chains, ticket agencies, health insurers, hotel chains and even auto parts stores have been in the crosshairs recently.

Criminals break into databases—often by sending a fake email to an employee. They download your data, then sell it on the internet’s dark web or use it to access consumers’ bank accounts and credit cards, open financial accounts in consumers’ names, even file fraudulent tax returns and pocket the refund. What they want most may surprise you.

“Social Security numbers are important to protect, but in fact they’ve been compromised for years,” Lee says. “What is more valuable is your login and your password. And your driver’s license is extraordinarily valuable because people can use it to open new accounts in your name. On the dark web, driver’s license information sells for $150 to $250.”

The total number of data breaches in the U.S. hit a record high of 3,203 in 2023, but the number of affected consumers soared in 2024 with the rise of “mega breaches” affecting more than 100 million individuals. Laws in all 50 states as well as Washington, D.C., Puerto Rico and the Virgin Islands, require companies to notify consumers of a breach involving personal information, according to the Federal Trade Commission.

But don’t wait for a notification letter to protect yourself, says Lisa Plaggemier, executive director of the National Cybersecurity Alliance. “Breaches can occur without companies even realizing it right away, so it’s crucial to establish good security habits that you maintain regularly,” Plaggemier says. “Assume your data may already be out there and focus on improving your security habits.” She recommends freezing your credit reports, using unique long passwords for online accounts, setting up multi-factor authentication and monitoring your financial accounts regularly. “This way, you’ll gain more peace of mind without the constant worry of chasing down every potential data breach.”