Consumer Advisory

What Is a Data Breach and What Should You Do If You're Affected?

Digital Privacy & Online ScamsEditorial Team·April 9, 2026·8 min read·Updated Apr 2026
This article is for informational purposes only and does not constitute legal, financial, or professional advice. Information may be outdated or inaccurate. Always consult a qualified professional or government agency before acting on anything you read here. If you find any inaccuracies, please contact us so we can update it.

Quick Answer

A data breach is when your personal information is accessed without authorisation, often through a company you have an account with. If you are notified of a breach, change your password on the affected account immediately, enable two-factor authentication, check for fraudulent activity on financial accounts, and consider placing a credit freeze. Steps depend on what type of information was exposed.

Data breaches happen constantly. Major companies, healthcare providers, and government agencies have all experienced them. Most people will be affected by at least one breach during their lifetime, often without knowing it for months. What you do in the days after learning your data was exposed can significantly limit the damage.

What Gets Exposed in a Data Breach

Not all breaches are equally serious. The risk depends on what type of data was taken.

Data Type ExposedRisk LevelImmediate Action Needed
Email address onlyLowMonitor for phishing increase
Email and passwordHighChange password immediately on all sites where it is reused
Social Security numberVery HighPlace credit freeze, file fraud alert
Payment card numbersHighContact bank, request new card
Medical recordsHighContact insurer, monitor for medical identity theft
Date of birth and addressMediumMonitor credit, watch for identity theft
Login credentialsHighChange password, enable 2FA

Step 1: Verify the Breach Is Real

Scammers sometimes send fake breach notification emails to trick people into clicking links or providing information. Before taking any action from a notification email:

  • Go directly to the company's official website by typing the URL yourself
  • Look for a breach announcement in their newsroom or security section
  • Check HaveIBeenPwned.com, a free, legitimate service that shows which breaches have included your email address

Do not click links in breach notification emails to "verify your account" or "protect your information." Go directly to the source.

Step 2: Change Affected Passwords Immediately

If login credentials were exposed, change your password on the breached site right away. Then check whether you used the same password on any other site and change it there too.

Password reuse is the primary way a single breach becomes multiple account compromises. Use a different password for every account, especially email and banking. A password manager makes this manageable.

Enable two-factor authentication on the breached account and on any account where you use the same password.

Step 3: Take Action Based on What Was Exposed

Social Security number exposed:

  • Place a credit freeze at all three bureaus immediately (Equifax, Experian, TransUnion), free at each bureau's website
  • Place a fraud alert at one bureau (they notify the other two), free, lasts one year
  • File a report at IdentityTheft.gov if you notice fraudulent accounts

Payment card numbers exposed:

  • Call the number on the back of your card and request a new card number
  • Review recent transactions for any unauthorised charges
  • Dispute any fraudulent charges under the Fair Credit Billing Act

Medical records or health insurance information exposed:

  • Contact your health insurer's fraud department
  • Request an explanation of benefits and review for services you did not receive
  • File a complaint with HHS at hhs.gov/ocr/privacy if the breach involved a healthcare provider

Step 4: Monitor Your Credit

After any significant breach, pull your free credit reports at AnnualCreditReport.com and review them for accounts you do not recognise. Consider staggering requests across the year (one bureau every four months) to maintain ongoing monitoring.

Many credit card issuers also provide free credit score and report monitoring through their apps or portals.

Your Rights After a Data Breach

Companies must notify you. Under state breach notification laws (all 50 states have them), companies are required to notify you if your personal information was exposed in a breach. Federal laws impose additional notification requirements on healthcare providers and financial institutions.

What to expect from the notification: The notification should tell you what type of data was exposed, when the breach occurred and was discovered, what the company is doing about it, and what steps you can take. Many companies offer free credit monitoring as part of the notification, take it, but do not rely on it as your only protection.

Free credit monitoring offers: If a company offers free monitoring after their breach, enroll, it provides an extra layer of alerts at no cost. It does not prevent harm but does provide earlier warning.

Where to Report

AgencyWebsite / How to File
FTC breach complaintReportFraud.ftc.gov, 1-877-382-4357
Healthcare breach (HIPAA violation)HHS at hhs.gov/ocr/privacy, 1-800-368-1019
Financial institution breachCFPB at consumerfinance.gov/complaint, 1-855-411-2372
Your state attorney generalusa.gov/state-consumer

Frequently Asked Questions

Related Articles

Digital Privacy & Online Scams

How to Recognize a Phishing Email or Text

8 min readDigital Privacy & Online Scams

Protecting Your Personal Info on Public Wi-Fi

7 min readDigital Privacy & Online Scams

What To Do If You Clicked a Suspicious Link

9 min read

Explore all topics

Digital PrivacyGovernment SupportProduct SafetyFinancial SafetyConsumer RightsScam TypesSmart Shopping