What Happened: A Four-Day Window of Theft Nobody Told You About

iHeartMedia is one of the largest radio and audio entertainment companies in the United States, operating hundreds of local stations across the country. During the four days spanning Christmas Eve through December 27, 2024, at least one unknown actor gained unauthorized access to file systems at “a small number” of those local stations. Here is what the company’s own disclosure confirms.

• December 24–27, 2024: The breach window. An unauthorized actor viewed and obtained files from iHeartMedia’s local station systems. The company does not disclose in the notice how many stations were affected, how many files were taken, or how many individuals are in those files.
• iHeartMedia says it “immediately” implemented response protocols once it became aware. The notice does not state when the company first became aware, meaning “immediately” is unverifiable from the disclosure alone.
• A third-party cybersecurity firm was engaged to assist with the investigation, and law enforcement was notified. Neither the name of the firm nor the specific law enforcement agency is disclosed.
• April 11, 2025: The company completed its review of the stolen files and confirmed that individual recipients’ personal information was among the data obtained. This is the date victims were first told their data was compromised, approximately 107 days after the breach began.
• The notice was mailed from a Secure Processing Center in Suwanee, Georgia, operating under a P.O. Box, with no named contact individual. Affected people are directed to a call center phone number for questions.

The Data That Was Stolen: Every Category of Identity Destruction

The breadth of data categories confirmed stolen in this breach is not typical. Most breaches leak one or two data types. iHeartMedia’s breach covers nearly every data class that exists for identity theft, financial fraud, and medical fraud simultaneously.

• Social Security numbers and Tax ID numbers: The foundational identifiers for opening bank accounts, taking out loans, filing fraudulent tax returns, and claiming government benefits in someone else’s name. Once these are out, the exposure is permanent. You cannot change your SSN without extraordinary effort.
• Driver’s license numbers and State ID numbers: Used to create counterfeit identification documents, pass identity verification checks, and commit in-person fraud. Combined with a name and date of birth, a criminal has a functional identity package.
• Passport numbers and other government identification numbers: Enables fraud across international borders and at federal checkpoints. Passport fraud can affect travel clearance and border records that follow a person for life.
• Date of birth: The third leg of the standard identity theft tripod. Most financial institutions require a name, SSN, and date of birth to verify identity. All three were potentially taken here.
• Financial account information and payment card information: Direct access to existing bank accounts and credit or debit card numbers. This is not potential future harm; this is immediate, liquidatable theft.
• Health information and health insurance information: The most dangerous and least-discussed category. Medical identity theft can result in false treatment records, fraudulent insurance claims billed under a victim’s name, and permanently corrupted medical histories that can lead to incorrect treatment in emergencies.

Direct quote from iHeartMedia’s official breach notice. The word “may” signals they do not know exactly what was taken from each person.

The Non-Financial Ledger: What iHeartMedia Stole from You That Cannot Be Refunded

iHeartMedia’s breach notice is a clean, corporate document. It uses careful language. It apologizes for the “inconvenience.” It offers a phone number. It moves efficiently from what happened to what you should do, skipping almost entirely over what it actually feels like to receive a letter telling you that a stranger somewhere now has your Social Security number, your health records, and your bank account information.

Imagine being a station employee or contractor who spent the holidays in late December not knowing. You were opening gifts, or working a holiday shift, or putting your kids to bed. Someone, somewhere, was going through your files. iHeartMedia knew there had been an intrusion. Their investigators were working on it. And you were not told. You were not given the chance to freeze your credit before someone tried to open a credit card in your name. You were not warned to watch your health insurance explanation of benefits for fraudulent claims. You had no idea.

The three and a half months between the breach and notification is not an abstraction. That is 107 days during which anyone whose information was in those files could have been victimized by identity theft and had no framework for connecting the fraud to its source. A fraudulent tax return filed in your name during tax season. A payday loan taken out using your Social Security number. A medical procedure billed to your insurance by someone you’ve never met. All of these things happen to real people in real data breach aftermaths, and they happen precisely in the window before the company tells you to start watching.

The health data category deserves special attention because it receives the least. When your Social Security number is stolen, the system at least has some mechanisms to flag suspicious new credit applications. When your health records are stolen, the fraud is quieter and more devastating. It corrupts the medical record that follows you into every emergency room and every new doctor’s office. If someone used your insurance to receive care for a condition you don’t have, that condition may now appear in your history. A wrong blood type. A medication allergy that isn’t yours. An incorrect diagnosis. These are not hypotheticals. They are documented consequences of medical identity theft, and they can get people killed.

Then there is the remedy iHeartMedia is offering: one year of Equifax credit monitoring. This is the company that in 2017 exposed the Social Security numbers, birth dates, and addresses of approximately 147 million Americans in what federal regulators called one of the largest data breaches in history. iHeartMedia’s response to a data catastrophe is to hand its workers and affiliates to the company that built the template for how badly consumer data can be handled. One year of Equifax monitoring expires. The data stolen in December 2024 does not.

Legal Receipts: The Words iHeartMedia Put in Writing

The following are verbatim excerpts from iHeartMedia + Entertainment, Inc.’s official Notice of Data Breach. Each quote is directly from the source document. Each one reveals something specific about the company’s conduct, its knowledge, or its posture toward the people affected.

iHeartMedia’s formal acknowledgment of exposing your Social Security number, health records, and bank data is an apology for an “inconvenience.” That word choice is intentional.

Societal Impact Mapping: Who Gets Hurt and How

Public Health

The exposure of health information and health insurance data in this breach creates documented risks that extend beyond financial fraud and into physical safety.

• Medical identity theft using stolen health insurance information allows fraudsters to bill insurers under a victim’s policy number for procedures, prescriptions, or equipment the victim never received. These fraudulent claims become part of the insurance record, affecting future coverage decisions, premium calculations, and claim denials.
• Corrupted medical records created by identity thieves can embed incorrect diagnoses, medications, and allergies into a victim’s file. In emergency situations where a patient cannot speak for themselves, clinicians relying on that file may administer contraindicated treatments based on a fraudster’s medical history.
• Victims of medical identity theft bear the burden of disputing fraudulent records across multiple providers and insurers. This process can take years, requires extensive documentation, and often forces individuals to delay or forgo legitimate care because their insurance benefits have been exhausted by fraud.
• The breach notice itself acknowledges the health information risk by advising victims to “review any statements you may receive from your health insurer or healthcare providers” and to report charges for services not received. This advisory implicitly confirms the company knows fraudulent medical billing using the stolen data is a plausible outcome.

Economic Inequality

Data breaches do not affect all people equally. The harm concentrates in the populations least equipped to absorb it.

• Enrolling in credit monitoring, filing police reports, placing security freezes at three separate credit bureaus, contacting state attorneys general, and disputing fraudulent accounts all require time, access to technology, and baseline financial literacy. People who work multiple jobs or lack reliable internet access are systematically disadvantaged in executing the remediation steps iHeartMedia’s notice outlines.
• The credit monitoring offered, Equifax Complete Premier, requires the recipient to be over age 18 with a credit file. This means dependents of affected employees, or individuals without established credit, are excluded from the primary remedy offered.
• The notice advises victims to be “vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity over the next 12 to 24 months.” This is an open-ended 24-month burden placed on individuals who did not consent to having their information stored, let alone stolen.
• Individuals who do experience identity theft as a result of this breach face real out-of-pocket costs: legal fees, time off work to manage disputes, potential loss of employment or housing if fraudulent records affect background checks, and in some cases, tax liability from fraudulent returns filed in their name. The $1,000,000 identity theft insurance offered through Equifax has documented exclusions and coverage limitations; it is not a blank check for all resulting harm.
• Radio station employees, many of whom are hourly workers in local markets, are likely among the victims. The data types involved, including tax identification numbers and financial account information, suggest payroll records were among the files accessed. Hourly workers, who have narrower financial margins, are more vulnerable to the cascading consequences of even a single fraudulent account or garnished tax refund.

The Cost of a Life Metric

What Now: Concrete Steps for People Whose Data iHeartMedia Handed to a Criminal

The company put its legal obligations in writing. Here is what you can actually do with that, and who you can push to do more.

Corporate Accountability Targets

• iHeartMedia + Entertainment, Inc. is headquartered at 125 West 55th Street, 12th Floor, New York, NY 10019. The main line is (210) 822-2828. Public-facing corporate contacts include the Chief Executive Officer, Chief Financial Officer, and General Counsel. Their names are not disclosed in the breach notice. Demand the General Counsel account for the 107-day notification delay specifically.
• The third-party cybersecurity firm engaged by iHeartMedia is unnamed in the notice. Demand the company disclose who conducted the forensic investigation and whether a public summary of findings exists.

Watchlist: Regulatory Bodies That Can Act

• Federal Trade Commission (FTC): File a complaint at ftc.gov/complaint. The FTC enforces against deceptive data security practices under Section 5 of the FTC Act. A 107-day notification delay and a vague remediation statement are relevant facts for any complaint.
• Federal Communications Commission (FCC): iHeartMedia is a federally licensed broadcast company. The FCC has jurisdiction over its licensees and can condition license renewals on demonstrated security compliance. File a consumer complaint at fcc.gov/consumers/guides/filing-informal-complaint.
• State Attorneys General (Maryland, New York, North Carolina, Rhode Island, New Mexico): These states are named in iHeartMedia’s breach notice and have active consumer protection offices. Contact information is provided directly in the notice. Residents of those states can file formal complaints that trigger mandatory investigative responses.
• Consumer Financial Protection Bureau (CFPB): The breach involved financial account and payment card data. The CFPB accepts complaints about financial data exposure at consumerfinance.gov/complaint.
• Internal Revenue Service (IRS): If you suspect your SSN has been used to file a fraudulent tax return, complete IRS Form 14039 (Identity Theft Affidavit) immediately. Do not wait for confirmed fraud to file; filing preemptively creates a record and can trigger IRS monitoring of your account.

Immediate Self-Defense Steps

• Freeze your credit at all three bureaus today, for free: Equifax (equifax.com), Experian (experian.com), TransUnion (transunion.com). A freeze prevents new credit from being opened in your name. It costs nothing and can be lifted within one hour online or by phone. Do not rely on the Equifax monitoring iHeartMedia offered instead of freezing; monitoring tells you after fraud happens, a freeze prevents it.
• Contact your health insurer directly: Request a complete history of recent claims filed under your policy number. Dispute any service you did not receive in writing. Document every communication.
• File a police report with your local law enforcement: Rhode Island residents are explicitly told by iHeartMedia’s notice that they have the right to do this. All victims in all states have this right. A police report creates a paper trail that creditors and agencies must recognize in identity theft disputes.
• File an identity theft report at IdentityTheft.gov: The FTC’s dedicated identity theft portal generates a personalized recovery plan and creates an official record. This record carries legal weight in disputes with creditors and agencies.
• Connect with local mutual aid networks: If the cost of legal assistance, time off work to manage disputes, or complexity of the remediation process is a barrier, search “[your city] mutual aid” to find community-organized networks that can provide direct support, peer guidance from people who have navigated identity theft, and referrals to low-cost legal aid organizations that specialize in consumer protection.
• Monitor your medical records: Request a complete accounting of your records from your primary care provider and your insurer. The Medical Information Bureau (MIB) also maintains a consumer file; you can request a copy at mib.com. Dispute any inaccuracies in writing immediately.