Is there any consequence? I’ve seen now a new practice where companies won’t even tell you what was compromised. For example a big one last year (?) was at the University of Washington. I had family receive vague letters saying some other place called Fred Hutch cancer center got hacked, and for some reason, the patient data of the university’s own hospitals was shared with this other place (even though they aren’t patients of Fred Hutch). Both Fred Hutch and UW refuse to tell individuals what data of theirs was compromised, but just say it can include all personal info including medical records and test results and social security numbers. It’s infuriating to just see a vague letter with free credit monitoring from companies that should be doing more and fined more.