1. Home
  2. States
  3. California


Identity theft occurs when someone unlawfully takes another's personal information for criminal purposes. Corporations, small businesses, celebrities, and normal individuals have fallen prey to it. California has experienced its fair share of fraudulent activity over the years, ranking as one of the top states regarding data breaches or identity theft. Fraud is an umbrella term covering a wide variety of criminal acts, which entail using deception or misinterpreting statements to gain an unfair advantage over an unsuspecting party. The most common types of theft in California include forgery, identity theft, credit card theft, insurance fraud, internet fraud, real estate fraud, and tax fraud.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Identity Theft
Imposter Scams
Credit Bureaus, Information Furnishers and Report Users
Online Shopping and Negative Reviews
Telephone and Mobile Services
Banks and Lenders
Debt Collection
Auto Related
Internet Services
Prizes, Sweepstakes and Lotteries

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Loan or Lease Fraud
Bank Fraud
Employment or Tax-Related Fraud
Phone or Utilities Fraud
Government Documents or Benefits Fraud

California's Recent Biggest Data Breaches


Activision Cyber-Attack

In 2023, Call of Duty video game publisher Activision fell victim to a data breach. The hackers accessed confidential employee information via an HR worker's credentials. Activision maintained the incident was not significant.


Partnership HealthPlan of California

In 2022, the Partnership Healthplan of California's computer systems were hacked. In the attack, cybercriminals made off with the health information of 850,000 current and former health plan members. The data entailed patient names, medical record numbers, prescriptions, and diagnoses.


Alameda Health System breach

Alameda Health System revealed in 2022 that it was breached by hackers who made off with the health information of 90,000 patients. The criminals did this by gaining remote access to the email accounts of the platform's employees. Alameda did not say the date of the breach or the type of information that may have been compromised.


California Department of Finance

LockbBit, a well-known ransomware group, announced in 2022 that it had stolen 75 GB of data from California's Department of Finance. They also posted screenshots of the property dialog for the files they had in possession. There were about 246,000 files in the stolen data cache, including financial records. Despite threats from the group that they would make the data public, the Department of Finance indicated it was performing an investigation. They claimed no state funds were compromised.


Sharp Healthcare

A large not-for-profit healthcare provider in Southern California, Sharp, was compromised by cyberattacks between August 2021 and January 2023. The provider announced that it had begun notifying a database of more than 60,000 patients concerning the breach. It insisted that bank details, credit card information, health records, and other Social Security numbers were not among the stolen data.


University of California, Health

In mid-2015, the University of California Health's database was infiltrated. The hackers may have gotten access to sensitive information on 4.5 million patients. The platform admitted that it had not encrypted its patient data, leading to chastising from security specialists. There was a significant effort to secure the network and data from further breaches.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

If the business is a third party that handles personal data but does not own or license it and there is a leak, it has to inform the entity that owns the information. Hence, companies are required by law to notify their customer base and other affected individuals if they experience a data breach. They are required to take the following measures.

  1. Following a data breach, a business must notify California's Attorney General's office if the number of affected individuals is more than 500. The company must also provide a sample of their declaration to affected consumers.
  2. The notifications must be sent to the person's last known address or a specific representative. However, Electronic notices are allowed, but only if those affected have agreed in writing to receive the communications.
  3. If the business has a website, the notification email to affected customers must link to a conspicuous posting on the business home page. This posting will remain online for 30 days. The link has to stand out from the rest of the email via larger text or contrasted fonts. However, posting the information on one's website will not be considered a substitute for a breach notice. Businesses still have to notify all affected individuals concerning the scope of the breach.
  4. Business owners must also write the notice in plain language with a distinct title.
  5. The notice must include, if available, the name and contacts of the business making the disclosure, a description of the event, types of personal information breached, and the date of the breach. Should the breached information entail driver's licenses, social security numbers, or ID numbers, the notification will include toll-free numbers and the credit reporting agencies' addresses.
  6. For facilities in the healthcare sector, the California Department of Public Health has to be told no more than 15 days after a breach is discovered.


  • According to the California Civil Code, entities that own or license computerized personal information must notify residents in the event of a data breach that results in the unauthorized acquisition of unencrypted information.
  • As required by law, the notification can be delayed if a law enforcement agency finds the notification will affect a criminal investigation. Statements must be made immediately after the agency considers it will not compromise the investigation.
  • People or businesses that are required to issue security breach notices have to meet the following requirements:
    • The structure of the notice has to call attention to the significance of the information.
    • The title and headings within the data breach notice must be portrayed.
    • The text of the notice and other notices issued will not be smaller than the 10-point type.
  • Business entities must notify the attorney general that more than 500 California residents are affected by the data breach. Entities may also electronically submit a copy sample of the notification.
  • Breached third parties must notify relevant data owners after discovering unauthorized information acquisition.
  • Entities that maintain notification procedures are to comply with notification requirements if the systems are in line with states and followed within the event of a breach.
  • Customers who incur injuries by violating the title can institute civil actions to recover damages.