Received a Data Breach Notification Letter in Illinois?
What the letter means, the seven steps to take now, and the legal rights Illinois gives you — in plain English.
Reviewed by Vincent Anthony Incopero, Managing Partner, REAL Law Group, P.C. · Licensed in Illinois · Last updated June 12, 2026
Data Breach Letter Guide
“I received a letter saying my personal information was involved in a data breach.”
Don't panic — but don't ignore it either. That letter exists because Illinois law required the company to tell you. Under the Illinois Personal Information Protection Act (815 ILCS 530), a company that exposes your personal information must notify you in the most expedient time possible and without unreasonable delay — and if more than 500 Illinois residents are affected, it must also report the breach to the Illinois Attorney General.
“Personal information” under Illinois law means your name combined with a Social Security number, driver's license or state ID number, financial account or card numbers, medical information, health insurance information, or biometric data — or a username or email address combined with a password that unlocks an online account. If you got a letter, at least one of those was likely exposed.
Here is exactly what to do, step by step.
What to Do After a Data Breach Letter: 7 Steps
Read the Letter Carefully — and Keep It
The letter tells you exactly what was exposed (Social Security number, medical information, financial accounts), when the breach happened, and what the company is offering you. Keep the letter and the envelope — it is evidence, it may start legal deadlines, and attorneys will ask for it first. A photo of it on your phone is a good backup.
Make Sure the Letter Is Real
Scammers send fake 'breach support' letters, calls, and texts that piggyback on real breaches. Search the company's name plus 'data breach' to find its official announcement, or go to the company's website directly — do not call phone numbers or click links you cannot verify. A real notification will never ask for your password, full Social Security number, or payment over the phone.
Enroll in the Free Credit Monitoring
Most letters offer 12–24 months of free credit monitoring or identity protection. Accept it — the Federal Trade Commission recommends taking it, and enrolling generally does not waive your right to participate in a lawsuit or settlement. Just know its limits: monitoring alerts you after something happens; it does not prevent identity theft.
Freeze Your Credit at All Three Bureaus
A security freeze blocks new credit accounts from being opened in your name and is free by federal law. You must place it separately with Equifax, Experian, and TransUnion, and you can lift it temporarily whenever you apply for credit. If a freeze feels like too much, a free one-year fraud alert is a lighter alternative — see the comparison below.
Pull Your Free Credit Reports and Watch Your Accounts
You can check your credit reports from all three bureaus for free, as often as weekly, at AnnualCreditReport.com. Look for accounts you do not recognize and hard inquiries you did not authorize. Review bank and card statements line by line, and if medical information was exposed, read every Explanation of Benefits from your insurer for care you never received.
Lock Down Your Logins — and Your Tax Return
If a password was exposed, change it everywhere you reused it and turn on two-factor authentication. If your Social Security number was exposed, consider requesting an Identity Protection PIN from the IRS so no one can file a tax return in your name, and file your own return early.
Document Everything
Keep a simple log: every fraudulent charge, every suspicious account, every scam call or phishing text, every dollar you spend on protection, and every hour you spend dealing with the breach. Under Illinois law, documented losses are what turn a notification letter into a viable legal claim. If misuse occurs, report it at IdentityTheft.gov for a personalized recovery plan.
Credit Freeze vs. Fraud Alert: Which Should You Choose?
Both are free. A credit freeze is the stronger protection; a fraud alert is the lighter, more convenient one. If your Social Security number was exposed, most experts recommend the freeze.
| Credit Freeze | Fraud Alert | |
|---|---|---|
| What it does | Blocks lenders from accessing your credit file, so new accounts generally cannot be opened in your name | Tells businesses to take extra steps to verify your identity before extending credit |
| Cost | Free by federal law | Free |
| How long it lasts | Until you lift or remove it — you can lift it temporarily any time | 1 year, renewable (7 years for confirmed identity theft victims) |
| Setup | Must be placed separately with each of the three bureaus | Place with one bureau and it must notify the other two |
| Best when | Your Social Security number was exposed, or you will not need new credit soon | You want protection but expect to apply for credit or loans soon |
What to Do Based on What Was Exposed
Social Security Number
The most serious exposure — an SSN cannot be changed like a password. Freeze your credit at all three bureaus, consider an IRS Identity Protection PIN, file your tax return early, and review your Social Security statement annually. Stolen SSNs are often used months or years later, so stay vigilant after the free monitoring ends.
Financial Account or Card Numbers
Contact your bank or card issuer, ask for a replacement card or new account number, and review statements line by line. Dispute fraudulent charges promptly in writing and keep copies — unreimbursed fraud losses are exactly the kind of documented damage that supports a legal claim.
Medical or Health Insurance Information
Medical identity theft can mean someone receives care or prescriptions under your insurance. Read every Explanation of Benefits, ask your providers for copies of your records if something looks wrong, and report errors to your insurer immediately. Healthcare breaches are among the most common breaches affecting Illinois residents.
Your Child's Information
Children's data is valuable to thieves precisely because misuse can go unnoticed for years. You can ask each credit bureau to check whether your child has a credit file and place a free freeze on it. School and education software breaches have exposed millions of students' records nationally — including Illinois students.
Usernames and Passwords
Change the exposed password immediately — and everywhere else you used it. Turn on two-factor authentication for email and financial accounts first; your email account is the master key to everything else. Watch for targeted phishing that references the breached company by name.
Can I Sue Over a Data Breach in Illinois?
Possibly. Illinois law requires companies to maintain reasonable security measures for personal information, and a violation of the state's breach notification law is automatically an unlawful practice under the Illinois Consumer Fraud Act. Victims with documented losses — fraudulent charges, accounts opened in their name, out-of-pocket costs — may have claims, and exposures of biometric or genetic information can trigger Illinois statutes that provide set statutory damages without proof of identity theft. That is why Step 7 above matters: documentation is what turns a letter into a claim.
Free case review for Illinois residents
REAL Law Group represents Illinois residents in data breach and privacy litigation on a contingency basis — no attorney's fees unless you recover. Have your notification letter handy and contact us or call (630) 299-7600.
Breaches That Have Affected Illinois Residents
Data breaches are not rare events that happen somewhere else. Recent publicly reported breaches affecting Illinois residents include:
Erie Family Health Centers (Chicago area): The Chicago-area community health network publicly reported in 2026 that a late-2025 intrusion affected roughly 570,000 patients, with exposed data potentially including Social Security numbers, financial information, and treatment records.
Illinois Department of Human Services: The state publicly disclosed that information of roughly 705,000 Illinois residents — largely Medicaid-related records — was viewable online due to incorrect privacy settings between 2022 and 2025.
Saint Anthony Hospital (Chicago): The West Side hospital publicly reported that compromised email accounts exposed information of more than 146,000 people; notification letters went out roughly a year after the 2025 intrusion.
Chicago Public Schools (vendor breach): CPS publicly disclosed in 2025 that a breach at a third-party file-transfer vendor exposed records of more than 700,000 current and former students.
TransUnion (Chicago-based credit bureau): TransUnion publicly disclosed in 2025 that a breach involving a third-party application exposed personal information of more than 4 million U.S. consumers, including names, Social Security numbers, and dates of birth.
This list summarizes public reports and disclosures for informational purposes. It is not a list of lawsuits, and no court has determined that any company listed violated any law.
Frequently Asked Questions
Attorney Advertising. This page provides general information for Illinois residents and is not legal advice about your specific situation. Contacting REAL Law Group, P.C. or submitting a form does not create an attorney-client relationship and does not stop any statute of limitations or other deadline; representation begins only when a written engagement agreement is signed.
Have a data breach letter? Find out where you stand.
Call REAL Law Group at (630) 299-7600 or send us a message for a free, confidential case review. No attorney's fees unless you recover.