Identity fraud is surging across the United States, but the timing often lags behind the initial data breach. Consumers lost $27.3 billion to traditional identity fraud in 2025, according to Javelin Strategy & Research's 2026 Identity Fraud Study, following a 19% jump the previous year. FTC identity theft reports through the first nine months of 2025 already exceeded the full-year total for 2024, which topped 1.1 million reports.
Stolen identity records often take months or years to be weaponized. After a major breach, data moves through criminal markets-sold to brokers, combined with other leaks, and resold to fraud rings. A Social Security number stolen in 2024 may not be used to open a fake credit line until 2026 or later, long after free credit monitoring has expired.
Major breaches are fueling this future fraud. UnitedHealth confirmed that about 190 million people were affected by the Change Healthcare breach in January 2025, the largest healthcare data breach in U.S. history. National Public Data had up to 2.9 billion records exposed, including Social Security numbers. AT&T disclosed that hackers stole call and text records for about 109 million customer accounts in July 2024.
Thieves use stolen data for synthetic identity fraud, tax refund fraud, medical identity theft, new-account fraud, and account takeover. Free credit monitoring typically lasts only one or two years, expiring just as stolen data begins circulating. A credit freeze blocks new accounts but won't stop fake tax returns or fraudulent medical bills.
To protect yourself: freeze your credit with all three bureaus (Equifax, Experian, TransUnion); change reused passwords immediately; enable multifactor authentication; monitor financial and medical statements; and check credit reports regularly. After free monitoring expires, consider paid services that watch all three bureaus, scan the dark web, and alert you to suspicious activity.
The bottom line: Stolen personal data doesn't expire. Criminals hold onto it, mix it with other records, and use it long after headlines fade. Identity protection must outlast the breach notice. The sooner you spot suspicious activity, the faster you can act.