What to Do After a Data Breach (A Practitioner's Runbook)

A family member texted me a screenshot of a letter in April. MedStar Health was informing them that their personal information had been exposed in a data breach. The letter was four paragraphs, offered 12 months of free credit monitoring, and included a phone number for questions.

The message came with two words: "what now?"

The breach had happened in September. MedStar mailed notifications on December 3: the 60th day after discovery, the last day permitted under HIPAA. By the time the letter arrived, it was April.

This is what I sent back.

---

Read the Letter Like a Practitioner

Breach notification letters are written by lawyers to satisfy regulatory requirements, not to help you understand your exposure. Before you do anything, extract the signal from the legalese. Here's how.

"What Happened?" tells you the attack timeline. The MedStar letter disclosed that unauthorized access occurred between September 12-16, 2025 and was discovered October 4, 2025. That four-day window is the attacker's dwell time. MedStar waited until day 60 to begin mailing: the legal limit, not a violation. Add postal delivery time and the letter arrives months after the breach. Your data was circulating the entire time.

"What Information Was Involved?" is the most important section. Scan for SSN, date of birth, diagnoses, medications, and insurance information. If all five are present, you're dealing with a full identity and medical profile. That's not a credit card breach. It's a different category of problem.

"What We Are Doing" describes what the organization is doing for itself. It is a compliance section written for regulators, not a remediation plan for you. Read past it.

"What You Can Do" is where the gap lives. The standard offer of free credit monitoring is the minimum legally defensible response. It is not sufficient.

---

Why This Breach Is Worse Than a Credit Card Leak

A stolen credit card number is worth roughly $5 on dark web markets. A full medical record, including name, SSN, date of birth, diagnoses, medications, and insurance information, sells for $250 to $1,000. The MedStar breach was carried out by threat actors using Rhysida, a ransomware-as-a-service platform first identified in 2023 and the subject of a joint advisory from CISA, the FBI, and MS-ISAC. Rhysida's model is double extortion: encrypt your systems, exfiltrate your data, then auction what they took if the ransom isn't paid. They listed the full MedStar dataset for auction at 25 bitcoin, roughly $3 million at the time of posting.

The reason medical records command that premium is permanence. A credit card can be canceled in 90 seconds. Your date of birth, SSN, and medical history cannot. They can be combined with records from other breaches to build a profile more complete than what most people carry in their own wallets.

As I covered in what motivates attackers to come after you, financial gain drives the vast majority of cybercrime. Medical records enable two distinct fraud categories: financial identity theft (opening accounts, filing tax returns) and medical identity theft (receiving care, obtaining prescriptions, filing insurance claims in your name).

Medical identity theft is the one most people underestimate. It corrupts your health records: wrong medications, wrong diagnoses, wrong blood type on file. That is not just a financial problem. It is a patient safety issue.

---

The 72-Hour Runbook

Don't wait to see something suspicious. The MedStar breach data was listed for public auction on Rhysida's dark web site months before victims received notification letters. Act now, while the window is still in your favor.

Work through these in order.

1. Freeze your credit at all three bureaus. A credit freeze prevents new accounts from being opened in your name. It's free, takes effect within one business day online, and is legally stronger than a credit lock. A lock is a private contract with the bureau. A freeze is a federal right under the FCRA. Do all three separately:

• Equifax
• Experian
• TransUnion

2. Freeze ChexSystems. ChexSystems is the consumer reporting agency banks use to screen new checking and savings account applicants. It is not one of the three major credit bureaus, and most breach response guides don't mention it. If someone tries to open a bank account in your name, a ChexSystems freeze stops it. Place a ChexSystems freeze here.

3. Get an IRS Identity Protection PIN. If your SSN was exposed, a fraudster can file a tax return in your name and claim your refund before you do. An IRS IP PIN is a 6-digit number that must accompany any federal return filed under your SSN. It takes about 15 minutes to set up and renews annually.

MedStar's notification letters arrived in April, the height of tax season. If you received one and haven't filed yet, this step is not optional. Request your IRS IP PIN here.

This step is almost never mentioned in breach notification letters.

4. Place a fraud flag with your health insurer. Call the member services number on your insurance card and tell them your information was exposed in a healthcare breach. Ask them to flag your account for suspicious claims and to notify you before paying any claim for care you may not have received. Get a reference number for the call.

5. Request your medical records from the breached organization. Under HIPAA, you have the right to your medical records. Request them and review for any procedures, prescriptions, or diagnoses you don't recognize. This is the paper trail for disputing fraudulent medical claims later. MedStar patients can request records at medstarhealth.org/services/medical-records: allow 5-10 business days for processing. For information specific to the breach, see medstarhealth.org/data-incident.

6. Pull your free credit reports. AnnualCreditReport.com gives you free reports from all three bureaus. Review for accounts you didn't open and inquiries you don't recognize.

7. Activate the free monitoring the letter offered. Do this last, after the steps above. The Experian IdentityWorks offer in the MedStar letter is worth activating. It is not sufficient on its own, but it adds a signal layer and costs you nothing.

---

What the Letter Didn't Tell You

The MedStar letter suggested reviewing account statements and enrolling in credit monitoring. That advice is not wrong. It is incomplete in ways that matter.

Credit monitoring alerts you after a new account is opened. A credit freeze prevents it from being opened in the first place. That distinction is significant.

ChexSystems and the IRS IP PIN are never mentioned in standard breach letters. Neither is the medical identity theft risk to your actual health records. Those gaps exist because breach notifications are compliance documents, not consumer protection guides.

If you've been lax about account security hygiene, now is a good time to fix that too. Healthcare breaches are frequently combined with credential data from other leaks to enable account takeovers, a technique I covered in detail in how to protect yourself from credential stuffing attacks.

---

The Long Game

The immediate risk is financial fraud. The longer-tail risk is subtler and typically surfaces 12 to 24 months later. Medical identity theft doesn't always appear quickly; fraudsters often wait before using stolen PHI to avoid triggering immediate flags. Watch for:

• EOB notices (Explanation of Benefits) for care you didn't receive
• IRS rejection of your legitimate tax return because one was already filed under your SSN. If this happens, file Form 14039 immediately.
• New accounts or hard inquiries on your credit reports you don't recognize
• Collection notices for medical bills from providers you've never visited
• Insurance claim denials citing benefits already used under your name

If you believe you're already a victim, start a recovery plan at IdentityTheft.gov. The FTC's guided tool walks you through dispute letters, fraud alerts, and agency contacts specific to your situation.

---

The letter arrived in April. The breach happened in September. That gap is legal, common, and outside your control. What you can control is how hard a target you make yourself before someone tries to use what they already have.

The steps above take less than two hours. Do them today.