We hear of it more and more. Recently, 100 million Sony Playstation customers find out hackers got into their accounts. Millions of customers of Chase Bank, Target, TiVo, and other companies were told someone stole their names and emails.
"I got a letter in the mail from Health Net," said Todd Evans-Longo of San Jose.
Evans-Longo received a warning letter too. His came from his insurance company, Health Net, saying several of its hard drives were "missing" and they contained health records of two million customers, including him.
"Like they got everything somebody would need to know to be me," said Evans-Longo.
The letter said they may know everything including his name, address, social security number, health and financial information.
"Potentially that's a big disaster," said Evans-Longo.
The letter said IBM handles the data and it "could not locate several hard disk drives."
"I want to know where my information is. I want to know exactly what happened. I mean, how do you lose a server? Did somebody wheel it out the door?" asked Evans-Longo.
Under California law, companies must notify consumers when their information is stolen, but they're not required to provide details of the breach.
7 On Your Side contacted IBM which said only: "IBM continues to assist Health Net with its investigation of unaccounted-for server drives."
Health Net said, "Protecting the privacy of our members is of the highest priority…Health Net has acted promptly, decisively and appropriately to protect affected individuals."
Indeed Health Net is offering two years of free identity theft protection. It includes automatic fraud alerts and $1 million of insurance coverage to correct any fraud. Evans-Longo said that's great, but what happens after two years.
"How much is enough? How long do I need protection for that," said Evans-Longo.
"Unfortunately, there's no magic bullet to this type of ...there's no one answer that fits every situation," said special agent Charles White.
White is from the U.S. Secret Service, which enforces identity theft laws. He said don't rely on a company to protect your identity.
"Set up a file, and we're all our own best advocates," said White.
White said file a police report you can point to later if someone opens an account or commits a crime in your name. Set up a fraud alert with the three major credit bureaus. You'll be notified if someone tries to open an account in your name. Also, be on guard for at least a year or longer. Hackers may sell data to scammers who may use it down the line. That's no great comfort for Evans-Longo.
"It's probably 90 percent that nothing will happen and it's just a misplaced piece of hardware, but what if it's not?" asked Evans-Longo.
Hearings began in Congress last month. Some legislators are calling for federal laws requiring companies to secure data and swiftly notify customers after a breach.