Identity theft in the United States

Identity theft involves obtaining somebody else's identifying information and using it for a criminal purpose. Most often that purpose is to commit financial fraud, such as by obtaining loans or credits in the name of the person whose identity has been stolen. Stolen identifying information might also be used for other reasons, such as to obtain identification cards or for purposes of employment by somebody not legally authorized to work in the United States.

According to a United States Department of Justice study, in 2012 the direct and indirect cost of identity theft was estimated to be responsible for financial losses of $24.7 billion, approximately twice the $14 billion total cost of other property crimes. By 2014, losses to identity theft decreased to $15.4 billion, mostly due to a reduction in the number of high-value losses (the top 10% of cases). By 2016, the estimated cost of identity theft increased to $16 billion.

In 2012, identity theft affected approximately 16.6 million people, approximately 7% of the U.S. population aged 16 or older. In 2014, identity theft affected approximately 17.6 million people, again approximately 7% of the U.S. adult population. It was estimated that approximately one third of Americans affected by a data breach ended up becoming a victim of financial fraud in 2013, an increase from one ninth in 2010. When an existing credit card is exposed and then used for fraud, the average estimated loss is $1,251. When a Social Security number is exposed and then used to open new accounts, the average estimated loss increases to $2,330. In 2015, a private study performed by Javelin suggested that incidents of identity theft remained steady from 2014, and that the losses associated with each instance of identity theft had decreased slightly.

Tax fraud
In 2012, identity theft was blamed for $4 billion of fraudulent tax refunds by the Internal Revenue Service (IRS) and 770,000 taxpayers have been the victims of tax identity theft by 2013. A public-private initiative by the IRS and employers in 2016 resulted in a 50% drop in incidents of taxpayer identity theft reports.

In calendar year 2016, the IRS stopped 883,000 confirmed identity theft returns. In 2022, the IRS indicted a man for identity theft and other crimes related to 76 fake charities registered to the same mailing address.

Medical identity theft
Medical identity theft involves the use of somebody else's identity or insurance information to obtain healthcare, or to bill for healthcare services that are not actually provided. It is estimated that medical identify theft can be more lucrative than credit card theft. At one black-market auction, a patient's medical record sold for $251, while credit card records sold for 33 cents.

Due to the ability of hackers to access customer data from large health insurance companies, concerns have been raised that health care companies are not doing enough to protect customer's financial and health data.

Data breaches
For purposes of identity theft, data breaches involve the unauthorized access of consumer data contained on computer systems, with the data being potentially subject to use for purposes of identity theft. The Identity Theft Resource Center said there were 662 data breaches in the United States in 2010, almost a 33% increase from the previous year. Between January, 2015 and September, 2017, the Identity Theft Resource Center estimates that there were 7,920 breaches affecting more than one billion records that could lead to identity theft.

Incidents
On May 5, 2011, Michaels, a craft store chain, sent an email alert to its customers revealing that its debit card terminals in 20 states had been compromised. Customers who made PIN-based purchases between February 8 and May 6, 2011 may have had their data exposed. A class action lawsuit was filed against Michaels in the county court of Passaic, New Jersey over the incident. On April 17, 2014, Michaels confirmed a security breach at some of Michaels' stores and subsidiary Aaron Brothers from May 8, 2013 to February 27, 2014.

Between July and September 2011, a $13 million scam resulted in the arrest of 111 people. The scammers used skimming devices to swipe consumer credit card information at retail or food establishments. According to the Federal Trade Commission losses from identity theft in the United States cost about $1.52 billion in 2011. It is estimated that the IRS gave identity thieves $5 billion in refunds.

In 2012, about 40 million sets of payment card information were compromised by a hack of Adobe Systems.

On February 15, 2013, Rep. Debbie Wasserman Schultz (D, FL-23) introduced the Stopping Tax Offenders and Prosecuting Identity Theft Act of 2013 (H.R. 744; 113th Congress) into the United States House of Representatives. The bill would increase the penalties on identity thieves in the United States and change the definition of identity theft to include businesses and organizations instead of just individuals.

Large U.S. corporations, such as Target Corporation, Home Depot, Neiman Marcus and Barnes & Noble, have been in the news after their credit card system was hacked. In 2014, a malware intrusion at Staples resulted in a credit card breach. 119 stores were impacted between April and September 2014, and 1.16 million customer credit and debit cards may have been stolen.

In October 2014, President Barack Obama announced that debit cards that transmit federal benefits like Social Security to Americans will be equipped with a security chip replacing the magnetic strip. The U.S. government will also apply the security chips and personal identification numbers (PIN), to replace signatures of all government credit cards. The measure is expected to reduce fraud. USA Today reported that an estimated 100 million people having been affected by breaches in 2014.

In November 2014, Sony Pictures Entertainment suffered a data breach. On December 18, 2014, employees of Sony filed a class action lawsuit against their employer claiming that Sony failed to take necessary actions to secure its employees personal information. The lawsuit was filed in U.S. District Court for the Central District of California.

In 2015, there were 781 recorded data breaches in the United States, which compromised the security of over 169 million records. The frequency and severity of data breaches has led forty-seven states to pass security breach notification laws, to ensure that citizens are notified in a timely manner when their records have been exposed.