Chapter 17: Ransomware and Data Breaches Can Destroy Your Life
You open your mailbox on a Tuesday afternoon. Between the electric bill and a credit card offer, you find a letter from a company you do not remember doing business with. The envelope looks official. The letter inside is two pages long. The first line reads: "We are writing to inform you of a recent security incident." Your stomach drops. You scan the rest of the letter. It tells you that your name, your date of birth, your Social Security number, your health insurance policy number, and your banking information were "potentially accessed by an unauthorized third party." The letter does not tell you when the breach happened. The letter does not tell you how the attackers got in. The letter offers you twelve months of free credit monitoring and suggests you "remain vigilant."
You fold the letter. You set it on the kitchen counter. And you do nothing. Because this is the third one you have received this year.
If that scenario sounds familiar, you are in the majority. Eighty percent of American consumers received at least one breach notification letter in 2025 alone. Forty percent received between three and five separate notices in a single year. Since 2005, more than twelve billion breach notification letters have been sent in the United States, a number that exceeds the entire population several times over. The data breach is no longer a rare event that happens to someone else. The data breach is a permanent feature of American life, and the consequences stack up silently over years and decades like interest on a debt you never agreed to carry.
This chapter is about what happens when the companies holding your most sensitive information lose control of it. This chapter is about the scale of the problem, the specific failures behind the worst breaches in recent history, the criminal industry that now profits from those failures, and the gap between what the law promises you and what the law actually delivers. Most of all, this chapter is about what you need to do right now, today, to protect yourself and your family, because the system designed to protect you is broken.
Three Thousand Breaches a Year and Counting
The numbers tell a story that defies common sense. In 2025, the Identity Theft Resource Center documented 3,322 data breaches across the United States, a new all time record and a 79 percent increase over just five years. Three consecutive years, 2023 through 2025, exceeded 3,000 compromises annually, a threshold never previously approached. In 2024, six massive breaches drove victim notifications to 1.35 billion, more than four times the entire U.S. population. That means on average every American received four separate notifications in a single year that their data had been stolen.
The upward climb has been relentless. In 2017, there were 1,506 reported breaches. That number dipped slightly in 2018, climbed again in 2019, and dropped during the pandemic disruption of 2020. Then everything accelerated. Breaches surged 68 percent in 2021. They doubled again by 2023. They have stayed above 3,100 every year since. The attacks have also become more secretive. In 2020, nearly all breach notification letters explained what caused the attack. By 2025, only 30 percent did. Seven out of ten notification letters now tell you your data was stolen and refuse to explain how the attackers got in.
The financial damage is staggering. The average cost of a data breach in the United States hit $10.22 million in 2025, an all time high and more than double the global average. Healthcare remains the most expensive industry for breaches, a distinction it has held for fourteen straight years. The FBI recorded $16.6 billion in cybercrime losses across 859,532 complaints in 2024, a 33 percent jump from the prior year. And the average breach takes 241 days from intrusion to containment. That means a breach discovered today started nearly eight months ago.
The history books are filled with breaches so large they reshaped entire industries. The Yahoo breach of 2013, not disclosed until late 2016, ultimately encompassed all three billion user accounts. The Equifax breach of 2017 exposed the Social Security numbers, birthdates, and addresses of 147.9 million Americans, roughly 40 percent of the entire population. Four Chinese military hackers were eventually indicted. Equifax paid $1.38 billion in total costs. Capital One lost 106 million records in 2019 after a former cloud services employee walked through a misconfigured firewall. T Mobile has suffered at least eight known breaches between 2018 and 2023, including one affecting 76.6 million people.
The drumbeat never stops. In January 2025, PowerSchool, a K through 12 education technology platform, disclosed that attackers used a stolen contractor login to access 62 million student records and 10 million teacher records. Blue Shield of California exposed 4.7 million records through a Google Analytics misconfiguration. DaVita, the dialysis provider, suffered a ransomware attack that compromised 2.7 million patient records. And researchers identified a compilation of 16 billion stolen credentials aggregated from malware across thousands of sources, the largest credential dump ever assembled.
One Missing Checkbox Shut Down American Healthcare
The February 2024 ransomware attack on Change Healthcare stands as the single most consequential cyberattack in the history of American healthcare. Not because the attackers were geniuses. Because the failure was breathtakingly simple.
Change Healthcare processes roughly 15 billion healthcare transactions every year, totaling more than $1.5 trillion in claims. The system connects 1.6 million health professionals, 70,000 pharmacies, and 8,000 healthcare facilities. When UnitedHealth Group acquired Change Healthcare in October 2022 for $13 billion, the American Hospital Association later described the combined entity as the predominant source of more than 100 critical functions that keep the entire U.S. healthcare system running.
On February 12, 2024, an affiliate of the ALPHV/BlackCat ransomware gang gained access through a Citrix remote access portal. The portal lacked multi factor authentication. That is a basic security control, the digital equivalent of a deadbolt on your front door. The attackers moved through the network for nine days. They stole an estimated six terabytes of data. On February 21, they deployed ransomware, encrypting systems and forcing Change Healthcare to shut down its entire network. Billing systems, pharmacy claims processing, prior authorizations, and electronic prescribing collapsed simultaneously across the country.
The impact hit patients immediately. Thousands of pharmacies could not process prescription claims for weeks. Military pharmacies worldwide went dark. Patients faced a choice between paying full out of pocket prices or going without their medications. A survey of roughly 1,000 hospitals found that 94 percent reported financial damage, 74 percent reported direct harm to patient care, and 33 percent said the attack disrupted more than half of their revenue. Eighty percent of physician practices lost revenue from unpaid claims. Fifty five percent of practice owners used their own personal savings to cover office bills and payroll. Industry estimates placed provider losses at roughly $100 million per day.
Around March 1, 2024, UnitedHealth Group paid approximately $22 million, about 350 Bitcoin, to the ransomware gang. CEO Andrew Witty later described the decision as one of the hardest he had ever made. The payment accomplished nothing. The gang's leadership pocketed the entire $22 million, refused to share it with the affiliate who actually conducted the attack, posted a fake FBI seizure notice on their dark web site, and vanished. The unpaid affiliate retained all the stolen data and launched a second extortion attempt through a new criminal operation called RansomHub, publishing partial stolen files as proof. UnitedHealth reportedly refused to pay a second time.
On May 1, 2024, Witty testified before the Senate Finance Committee and the House Energy and Commerce Subcommittee for more than four hours. The testimony revealed damning facts. Witty acknowledged the server through which attackers entered was not protected by multi factor authentication. Senator Ron Wyden called the failure "cybersecurity 101." Senator Thom Tillis brought a copy of Hacking for Dummies to the hearing. Senator John Barrasso asked why a small, financially struggling hospital in Wyoming managed to turn on multi factor authentication when a company generating nearly $100 billion in quarterly revenue did not. Witty disclosed that some of the company's technology dated back 40 years, and that the primary and backup systems were not isolated from each other, so both were directly compromised in the same attack.
The final scope of the breach dwarfed every initial estimate. Change Healthcare first filed a report with the Department of Health and Human Services listing 500 affected individuals. By October 2024, that number grew to 100 million. By January 2025, it reached 190 million. The confirmed final total, reported July 31, 2025: 192.7 million individuals. That is roughly two thirds of the American population and by far the largest healthcare data breach in U.S. history. The exposed data included health insurance information, medical records, prescriptions, diagnoses, Social Security numbers, and banking details.
UnitedHealth Group reported $3.09 billion in total breach related costs for 2024. As of March 2026, 78 class action lawsuits have been consolidated into federal multi district litigation in Minnesota. The Nebraska Attorney General filed the first state lawsuit, and a motion to dismiss was denied in November 2025. The HHS Office for Civil Rights investigation remains ongoing. No penalties have been announced.
The deeper lesson reaches beyond any single security failure. Change Healthcare's dominance created a single point of failure for the entire healthcare payment system in America. Nearly every hospital in the country ran transactions through this one system. When one company controls that much critical infrastructure, one missing security checkbox brings the whole thing down.
A Home Office in Florida Held Your Social Security Number
If the Change Healthcare breach showed what happens when a giant company fails at basic security, the National Public Data breach revealed something equally alarming: a shadow industry of data brokers collecting sensitive records on virtually every American adult with almost no security, almost no regulation, and almost no accountability.
National Public Data, operated by a Florida company called Jerico Pictures, was a background check data broker run by a single individual, a retired sheriff's deputy, from a home office in Pompano Beach. The company had fewer than 25 employees, annual revenue of roughly $1.15 million, and equipment consisting of two HP desktop computers, one laptop, and five servers. From that home office, NPD had compiled personal records on hundreds of millions of people.
A threat actor began probing NPD's systems in late December 2023 and successfully stole the entire database. The stolen data was posted on a dark web forum with a $3.5 million asking price. When no one paid that price, another hacker leaked the bulk of the database for free in July 2024. The headline figure was 2.9 billion records, a number confirmed by the 277 gigabyte file size. Security researchers determined that massive duplication inflated the count, with multiple entries per person for every address they had ever lived at over roughly 30 years. The realistic estimate of affected living individuals fell between 170 million and 272 million, still a catastrophic number representing the majority of American adults. Security journalist Brian Krebs discovered that NPD's sister site hosted a publicly accessible file containing source code and plaintext admin usernames and passwords. All users shared the same six character default password. Data was stored unencrypted.
Jerico Pictures filed for Chapter 11 bankruptcy in October 2024, listing total assets between $25,000 and $75,000. The company shut down permanently in December 2024. At least 20 class action lawsuits were filed. Given the company's insolvency, with less than $75,000 in assets against potential liabilities in the billions, meaningful financial compensation for victims is functionally impossible. The California Privacy Protection Agency filed a $46,000 enforcement action against NPD for failing to register as a data broker. That $46,000 fine captures the absurd mismatch between the tools regulators have and the scale of the damage they are supposed to address.
Ransomware Became a Business
Ransomware has evolved from crude software that locked your files and demanded a few hundred dollars into a professionalized criminal industry with organizational charts, revenue sharing agreements, customer service operations, and business models that mirror legitimate software companies.
The tactical shift has been dramatic. Before 2019, ransomware simply encrypted your files and demanded payment for a decryption key. Then criminal groups started stealing data before encrypting it, threatening to publish the stolen information publicly if the ransom went unpaid. That is called double extortion. By 2024, 96 percent of ransomware cases involved data theft alongside encryption. Some groups added a third layer of pressure, launching attacks against victims' websites, directly contacting victims' customers, or threatening individuals whose data was stolen. The most striking recent shift is toward extortion without encryption at all. By 2025, only 50 percent of ransomware incidents involved encryption. Criminal groups realized stolen data creates permanent leverage. You recover encrypted files from a backup. You never recover data that someone else already has.
The criminal business model runs on something called Ransomware as a Service. Developers create and maintain the ransomware code, the infrastructure, the leak sites, and the negotiation portals. Affiliates purchase access and carry out the attacks. Specialists called initial access brokers focus on gaining network footholds and selling them. Revenue splits typically give 70 to 80 percent to affiliates and 20 to 30 percent to the operators. Some of these operations charge as little as $40 a month. As of 2025, more than 85 distinct operations were running simultaneously, and 124 named ransomware groups were being tracked, a 46 percent increase from the year before.
Law enforcement has scored significant wins. In February 2024, Operation Cronos, led by the UK's National Crime Agency and the FBI, seized 34 servers belonging to LockBit, the dominant ransomware group globally, responsible for 25 percent of all attacks. The operation froze more than 200 cryptocurrency accounts and recovered over 1,000 decryption keys. LockBit's leader was publicly identified as a Russian national, though he was not apprehended. LockBit's ransom payments dropped 79 percent in the second half of 2024. The ALPHV/BlackCat group, the gang behind the Change Healthcare attack, collected the $22 million ransom and then executed an exit scam, vanishing permanently. The Cl0p gang's 2023 exploitation of the MOVEit file transfer system compromised more than 2,700 organizations and exposed data on roughly 93 million individuals.
Total ransomware payments dropped from a record $1.25 billion in 2023 to $813 million in 2024, a 35 percent decline. Only 28 percent of victims paid in 2025, the lowest rate on record. The decline comes from law enforcement actions seeding distrust in criminal networks, from improved backup practices, and from growing evidence, demonstrated most dramatically by the Change Healthcare case, that paying does not guarantee the return of your data or prevent further extortion. The economic toll remains immense. Global ransomware damages reached an estimated $57 billion in 2025. The FBI ranked ransomware as the most pervasive threat to critical infrastructure, and half of all ransomware attacks in 2025 struck critical infrastructure sectors.
For historical perspective, the May 2021 Colonial Pipeline attack remains the moment ransomware entered the national conversation. A criminal group shut down the largest refined oil pipeline in the United States, 5,500 miles carrying 45 percent of the East Coast's fuel supply, for five days. Gas stations across the Southeast ran dry. The president declared a state of emergency. Colonial paid $4.4 million. The attack triggered a cybersecurity executive order, new pipeline security directives, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
After the Breach: Your Data Never Stops Working Against You
A data breach is not a single event. The breach is the starting gun on a chain reaction that persists for years, compounding harm through stolen credentials, identity theft, synthetic fraud, and a thriving underground economy in personal information.
When attackers steal username and password combinations from one service, they automatically test those same combinations against hundreds of other platforms. This is called credential stuffing. Because 65 percent of people reuse passwords across multiple accounts, even a tiny success rate, as low as one tenth of one percent, translates into hundreds of thousands of compromised accounts when launched at scale. Akamai recorded 26 billion credential stuffing attempts per month in 2024.
Specialized malware called infostealers harvested 1.8 billion credentials in 2025 alone, an 800 percent surge. More than 54 percent of ransomware victims in recent years had their stolen login credentials appear on criminal marketplaces before the ransomware attack hit, sometimes with less than 48 hours between the credential theft and the ransomware deployment.
The FTC recorded 1,135,270 identity theft reports in 2024, a 9.5 percent increase, with total fraud losses exceeding $12.5 billion. The most common type was credit card fraud, with nearly 89 percent involving new accounts that criminals opened using stolen personal data. Through the first three quarters of 2025, identity theft reports had already exceeded the entire 2024 total.
A growing form of fraud called synthetic identity theft combines real stolen data, typically Social Security numbers, with fabricated names and addresses to build entirely fictitious people. Lenders reported $3.3 billion in exposure to synthetic identities by the end of 2024, an all time high. Children are especially at risk because their Social Security numbers have no credit history, and the fraud often goes undetected for more than a decade. Deloitte projects synthetic identity fraud losses will reach $23 billion by 2030.
On dark web marketplaces, your Social Security number sells for $1 to $6. A complete identity package, your name, Social Security number, date of birth, and address, costs $20 to $100. Credit card numbers with security codes run $10 to $40. Complete medical records sell for up to $500, ten times the price of a credit card, because medical records contain enough information for insurance fraud, prescription fraud, and identity theft all at once. American identity packages are the cheapest on the market due to decades of oversupply from breaches. Your Social Security number never expires and it does not change. A breach from five years ago keeps generating new victims indefinitely as datasets get recombined, repackaged, and resold.
Identity theft victims spend an average of 100 to 200 hours resolving the damage, and some spend more than 400 hours. Fraudulent accounts sent to collections damage credit scores for up to seven years. In most states, insurance companies factor your credit score into your premiums for auto and homeowners coverage, which means identity theft that damages your credit directly raises your insurance costs. Corrupted background check databases cause job rejections when breached data gets flagged during employment screening. In February 2025, a breach at DISA Global Solutions, a third party employment screening company, exposed Social Security numbers and financial information for 3.3 million people, the exact data companies use to decide whether to hire you.
Companies Hoard Your Data Like Toxic Waste
Every breach in this chapter was made worse by a common pattern: companies collected and stored far more of your personal data than they needed for any legitimate purpose. The volume of data managed by companies grew tenfold between 2016 and 2021, from 1.45 petabytes to 14.6 petabytes. Every additional record stored is one more record that gets stolen when attackers get in.
Security technologist Bruce Schneier put it plainly: data is a toxic asset, and we need to treat it as we would any other source of toxicity. The Federal Trade Commission has started agreeing. The FTC now treats excessive data retention as an independent violation of the law. In 2024, an enforcement action against Blackbaud, a nonprofit software provider, marked the first time the FTC alleged that keeping personal data longer than necessary was, by itself, an unfair business practice.
Blackbaud had stored Social Security numbers, medical information, and religious affiliations from former customers for years after the business relationship ended. When the company was breached in 2020, all that unnecessary data was exposed. Similar actions against CafePress, which stored more than 180,000 unencrypted Social Security numbers indefinitely for no business reason, and InMarket Media, which retained five years of precise location data, established a clear pattern. The FTC now routinely requires companies to establish mandatory retention schedules, delete unnecessary data, and build real security programs.
California's privacy law requires that data collection, use, retention, and sharing be reasonably necessary and proportionate to the purposes for which data was collected. The European Union's GDPR makes data minimization a legally binding principle with fines reaching 20 million euros or four percent of global annual revenue. In the United States, only California and Maryland have what privacy advocates consider meaningful data minimization rules. For the rest of the country, companies face no legal obligation to limit how much of your data they stockpile.
Breach Notification Letters: Too Little, Too Late
All 50 states now have breach notification laws. That sounds reassuring until you look at what those laws actually require and how they actually work.
Twenty states set numeric deadlines for notifying you after a breach, ranging from 30 to 60 days. Thirty one states use vague language like "without unreasonable delay," a standard flexible enough to accommodate months or even years of silence. The Change Healthcare breach happened in February 2024. Final notifications were not completed until October 2025, twenty months later. The city of Long Beach, California, took nearly 18 months to notify more than 300,000 residents. The ITRC found that 70 percent of breach notification letters in 2025 withheld how the attack happened, up from 58 percent the prior year. That means you know your data was stolen, you just do not know how, and you have no way to assess your actual risk.
California is leading the way forward. SB 446, signed by Governor Newsom on October 3, 2025, and effective January 1, 2026, requires companies to notify affected California residents within 30 calendar days and the Attorney General within 15 days. When Social Security numbers are compromised, companies must provide at least 12 months of free identity theft prevention services. The law also requires notification letters to follow a standardized format, ending the practice of burying critical information in dense legal text.
The standard remedy companies offer after a breach, 12 to 24 months of credit monitoring, is widely recognized as inadequate. Credit monitoring alerts you after suspicious activity happens. It does not prevent anything. It covers credit fraud and misses medical identity theft, tax fraud, and synthetic identity creation. It expires after a year or two, even though stolen Social Security numbers remain usable forever. An NPR investigation found that when you sign up for "free" monitoring, the terms and conditions sometimes authorize the monitoring company to share your consumer data broadly, meaning the so called remedy creates new privacy risk. Credit freezes, which have been free under federal law since 2018, provide far stronger protection. Companies rarely mention them in breach notification letters because freezes do not generate revenue for credit bureaus.
No federal breach notification law exists, despite proposals dating back to 2003. Healthcare providers must notify within 60 days under HIPAA. Financial institutions face a 30 day deadline under the Safeguards Rule. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires reports to the Cybersecurity and Infrastructure Security Agency within 72 hours, and its final rule has been delayed to May 2026.
What You Need to Do Right Now
The legal system has shifted the burden of protection almost entirely onto you. That is a failure of policy, and it is infuriating. It is also the reality. The good news is that the most effective tools available to you are free.
Freeze your credit at all three major bureaus: Equifax, Experian, and TransUnion. Federal law has required all credit freezes to be free since 2018. A freeze blocks anyone from opening new credit in your name. It lasts indefinitely. It has zero impact on your credit score. Online or phone freeze requests must be processed within one business day, and unfreezes within one hour. Do not stop at the three major bureaus. Identity thieves know about lesser known credit reporting agencies and use them as backdoors. Freeze your credit at Innovis, which is used for identity verification. Freeze at ChexSystems, which banks check when you open a new account. Freeze at NCTUE, which telecom and utility providers check. And freeze at LexisNexis, which insurance companies use. A credit freeze is federally regulated under the Fair Credit Reporting Act. A credit "lock," which is a separate product the credit bureaus sell, is a contractual agreement that often contains arbitration clauses and class action waivers. The freeze gives you legal protection. The lock gives the credit bureau revenue.
Check whether your data has already been exposed. The website haveibeenpwned.com, created by security researcher Troy Hunt, tracks more than 15 billion compromised accounts across 900 plus breached sites and lets you search by email address for free. The Identity Theft Resource Center offers a Breach Alert tool that monitors up to five companies and sends you alerts when they are breached. The FTC's IdentityTheft.gov generates personalized recovery plans, official Identity Theft Reports, and pre filled dispute letters.
Be skeptical of identity theft protection services. Products like LifeLock, Aura, and Identity Guard primarily offer monitoring, which means they tell you after something has gone wrong. As one expert told Consumer Reports: no one can protect you from becoming a victim of identity theft. That protection simply does not exist. These services do not remove your data from the dark web. They do not guarantee reimbursement. Free tools, including credit freezes, the annual free credit report at AnnualCreditReport.com, and the Have I Been Pwned database, often provide equal or better protection.
Stop reusing passwords. Sixty five percent of people use the same password across multiple accounts, and that single habit is the number one way attackers turn one breach into access to your bank, your email, and your medical records. Use a password manager. Enable multi factor authentication on every account that offers it. These two steps alone would have prevented the Change Healthcare breach, the most devastating healthcare cyberattack in American history.
The Legal System Is Failing You
The Supreme Court's 2021 decision in TransUnion LLC v. Ramirez created an enormous barrier for anyone trying to hold companies accountable after a data breach. In a five to four ruling, the Court held that consumers whose data was stolen cannot sue in federal court unless they prove the stolen data was actually used by a third party. If identity theft has not materialized yet, courts call the harm speculative. Once it does materialize, proving which specific breach caused the harm is nearly impossible, since most people have had their data stolen in multiple breaches.
Data breach class action filings exceeded 1,800 in 2025, a 200 percent increase since 2022. When settlements are reached, the payouts to individuals are insulting. The Equifax settlement was headlined at $700 million. In practice, only $31 million went to the $125 cash payments consumers were promised. With roughly 5.95 million claimants, most individuals received approximately $5.21 for the exposure of their Social Security number, birthdate, and address. If all 147 million affected people had filed claims, each would have received about 21 cents.
Other democracies have found better answers. The European Union's GDPR requires organizations to notify their supervisory authority within 72 hours of a breach, with fines reaching 20 million euros or four percent of global revenue. Cumulative GDPR fines have exceeded 5.88 billion euros across more than 2,245 enforcement actions. Australia overhauled its entire privacy framework within weeks after two major breaches in 2022 affected a third of its population, raising maximum penalties to 50 million Australian dollars or 30 percent of adjusted turnover. The United States remains a global outlier: 50 plus state laws with varying definitions and timelines, sector specific federal rules without a unifying framework, and a primary reliance on lawsuits that pay victims pennies.
Your Data Is Already Out There. Your Next Move Is Not.
Here is what the numbers add up to. Three consecutive record breaking years of data breaches. Victim notifications reaching 1.35 billion in a single year. Average U.S. breach costs at an all time $10.22 million. FBI tracked cybercrime losses surging 33 percent annually. Ransomware groups numbering 124 and operating like franchises. And a legal system that pays you $5.21 when a company loses your Social Security number to hackers.
The worst breaches share the same features: companies hoarding data they do not need, basic security controls that were never turned on, monopolistic concentration that creates single points of failure, and legacy systems that persist because upgrading them costs more than absorbing the occasional breach. These are not mysterious hacking techniques. These are governance failures. These are choices.
The system that created this mess will not fix itself on its own timetable. And it will not fix itself for your benefit. That is why you have to act now. Freeze your credit at every bureau, including the ones most people do not know about. Check haveibeenpwned.com and see where your data has already been exposed. Stop reusing passwords. Turn on multi factor authentication everywhere. Talk to your family. Talk to your parents. Talk to your kids.
The companies holding your data have demonstrated, year after year, that they will not protect it. The government has demonstrated, decade after decade, that it will not make them. The only person left to protect you is you.
And you are more than enough for the job.