You received a breach notification letter. Now what? Most of those letters offer one or two years of free credit monitoring and call it a day. That’s the floor of the response — and for health data, it’s a deeply incomplete floor.
What the breach notification has to tell you
Under HIPAA’s Breach Notification Rule and most state laws, the breached entity is required to tell you:
- What happened (what type of incident, when it was discovered)
- What kinds of information were exposed
- What the entity is doing in response
- What you can do to protect yourself
- Contact information for follow-up questions
Notably absent from the required content: any meaningful explanation of what your health data is at ongoing risk of. The credit-monitoring offer is the default response template; it addresses financial identity theft, not medical identity theft.
What credit monitoring covers (and doesn’t)
Credit monitoring tells you when someone opens a credit account in your name. It does not tell you when someone uses your insurance for their own care. It does not stop your data from being shared, sold, or reused by other entities downstream. It does not address the fact that your diagnoses, your test results, and your medication history are already circulating through the broader healthcare ecosystem.
What to do, in order
- Accept the offered credit monitoring.
- Place a credit freeze with all three bureaus.
- File an IRS identity-theft affidavit (Form 14039).
- Review Explanation of Benefits statements from your insurer.
- Stop the ongoing flow of your health data with services that automate HIPAA restrictions and HIE opt-outs. This is the step credit monitoring won’t do.
See /breaches for incident-specific guides to recent breaches.