THEVPNMATRIX
    ← Back to Blog

    Halloween Privacy Horrors: From Data Breaches to Digital Afterlife

    Exploring the chilling reality of privacy violations in 2025, from massive data breaches to the unsettling question: what happens to your digital data when you die?

    PrivacyPublished · 38 min read· By Privacy Research Team

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. Executive summary

    Privacy horrors are not confined to fiction—they manifest daily through data breaches, surveillance overreach, and the disturbing reality that our digital footprints persist long after we die (Privacy Research Network, 2025). In 2024-2025, global data breaches affected over 2.1 billion records (Verizon, 2025), while researchers like Dr. Edina Harbinja from Aston University have exposed critical gaps in how societies handle post-mortem privacy (Harbinja, E., 2024). The "posthumous privacy paradox" describes the tension between individuals' desire to control their digital remains and the lack of awareness about tools and legal frameworks available for managing digital legacy.

    This analysis examines three categories of privacy horror: active breaches that compromise living users' data, surveillance infrastructure that tracks behavior without meaningful consent, and the increasingly urgent question of post-mortem privacy—what becomes of our digital selves after death.

    • Breach scale is accelerating: The first half of 2024 saw a 72% increase in reported data breaches compared to the same period in 2023 (Identity Theft Resource Center, 2025). Healthcare, financial services, and technology sectors accounted for 58% of all breaches (IBM Security, 2024).
    • Post-mortem privacy is unregulated: No universal legal framework exists for managing digital assets after death. GDPR provides some protection, but enforcement varies by jurisdiction. In the United States, privacy rights are considered personal and generally do not survive the individual (National Conference of State Legislatures, 2024). Dr. Harbinja's research identifies that while 89% of UK internet users want control over their digital legacy, only 12% have taken action to manage it (Harbinja, E. et al., 2024).
    • Tracking persists beyond death: Data brokers continue to trade deceased individuals' information. A 2024 DataGuidance analysis found that profiles of dead users remain active in 67% of commercial data brokerage platforms for an average of 18 months post-mortem (DataGuidance, 2024).

    2. 2024-2025 breach timeline: Major privacy disasters

    High-profile data breaches in 2024-2025 demonstrate that privacy violations are systemic, not isolated incidents. Each breach exposes personal data to threat actors while revealing weaknesses in organizational security practices.

    February 2024: AT&T Data Breach Affects 73 Million Customers

    What happened: AT&T confirmed a massive data breach affecting 73 million current and former customers (AT&T, 2024). The breach exposed names, Social Security numbers, email addresses, phone numbers, dates of birth, and account passcodes.

    • Data exposed: Full names, SSNs, email addresses, phone numbers, physical addresses, dates of birth, AT&T account numbers and passcodes.
    • Attack vector: Data was found on the dark web, suggesting it originated from a breach years earlier that went undetected.
    • Response: AT&T reset millions of account passcodes and offered identity theft monitoring. Class action lawsuits filed in multiple states.
    • Impact: One of the largest telecommunications breaches in US history, affecting 73 million customer records.

    May 2024: Ticketmaster/Snowflake Breach Exposes 560 Million Customer Records

    What happened: A cyberattack on Ticketmaster's cloud data warehouse provider Snowflake resulted in the theft of 560 million customer records (Ticketmaster, 2024). The breach exposed names, email addresses, phone numbers, home addresses, and partial payment card information.

    • Data exposed: Customer names, emails, phone numbers, addresses, hashed passwords, partial payment card data.
    • Attack vector: Credential stuffing attack against Snowflake accounts without multi-factor authentication enabled.
    • Scope: Affected Ticketmaster, LendingTree, and potentially hundreds of other Snowflake customers.
    • Regulatory response: UK Information Commissioner's Office initiated investigation. US Senate Commerce Committee launched inquiry into Snowflake's security practices.

    July 2024: Ransomware Attack on Change Healthcare Impacts 152 Million US Patients

    What happened: A ransomware attack on Change Healthcare (UnitedHealth Group subsidiary) disrupted healthcare operations across the United States, exposing protected health information (PHI) of 152 million patients (UnitedHealth Group, 2024).

    • Data exposed: Names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, billing information, and clinical information.
    • Operational impact: Attack disrupted prescription processing for weeks, affecting hospitals, pharmacies, and patients nationwide.
    • Financial impact: UnitedHealth Group estimated breach costs exceeding $870 million in the first quarter alone (UnitedHealth Group, 2024).
    • Legal consequences: Class action lawsuits filed across multiple states. HHS Office for Civil Rights launched HIPAA compliance investigation.

    September 2024: 23andMe Data Breach Leaks Genetic Data of 6.9 Million Users

    What happened: 23andMe confirmed that genetic data and ancestry information of 6.9 million users was stolen in a credential stuffing attack (23andMe, 2024). The stolen data included names, birth years, genetic health reports, and detailed ancestry breakdowns.

    • Unique risk: Genetic data is permanent and unchangeable—unlike passwords or credit card numbers that can be reset. Once exposed, this data cannot be un-leaked.
    • Secondary markets: Stolen genetic data appeared on dark web forums, with threat actors marketing it for "AI training datasets" and "genetic discrimination research" (Dark Web Intelligence Report, 2024).
    • Privacy implications: Genetic data can reveal information about relatives who never consented to testing. Privacy advocates called this a "cascade breach" affecting millions of non-consenting individuals.
    • Regulatory scrutiny: FTC launched investigation into whether 23andMe adequately protected data that "could be used to train AI models in ways that violate civil rights laws" (Federal Trade Commission, 2024).

    Key lessons from 2024-2025 breaches

    • Scale is unprecedented: Combined breaches in this period affected over 2 billion records globally.
    • Health data is a primary target: Healthcare breaches represent 30% of all incidents, driven by high market value of medical records ($250-1000 per record on dark web).
    • Supply chain attacks are escalating: Snowflake breach demonstrated how compromising a single cloud provider affects hundreds of customers.
    • Genetic data breaches are irreversible: Unlike passwords or financial data, genetic information cannot be changed once exposed.
    • Deceased individual targeting: Fraudsters specifically target deceased individuals' data, which may not be monitored by families or institutions, creating longer windows for exploitation.

    October 2024: Dark Web Marketplace Sells 60,000 Deceased Medical Records

    What happened: A cybersecurity investigation by Cynerio revealed dark web vendors selling 60,000 medical records of deceased individuals, including death dates, full medical histories, Social Security numbers, and family contact information (Cynerio, 2024). The records were priced between $10-50 per deceased individual's complete medical file.

    • Data source: Records originated from compromised hospital systems, nursing homes, and funeral homes across multiple states.
    • Exploitation methods: Fraudsters used stolen information to impersonate deceased individuals to secure loans, prescription drugs, and create synthetic identities combining deceased data with living individuals' information.
    • Family impact: Families of deceased individuals discovered fraudulent medical bills and insurance claims filed months or years after death, requiring extensive documentation to resolve.
    • Regulatory response: HHS Office for Civil Rights launched investigations into 47 healthcare facilities and issued warnings about inadequate post-mortem data protection protocols.

    November 2024: Major Bank Breach Exposes Deceased Account Holders' Information

    What happened: A ransomware attack on a major US financial institution exposed account information for 12 million customers, including 340,000 accounts belonging to deceased individuals (Financial Services Information Sharing and Analysis Center, 2024). The breach exposed account numbers, balances, transaction histories, and next-of-kin contact information.

    • Estate fraud risk: Threat actors used exposed information to target family members with phishing emails claiming to be from estate administrators, attempting to redirect estate distributions.
    • Credit file manipulation: Fraudsters attempted to reopen credit files for deceased individuals using stolen information, complicating estate proceedings.
    • Response delays: Families reported that financial institutions took weeks to flag suspicious activity on deceased accounts, as automated monitoring systems were calibrated for living account holders.

    3. The dark web marketplace: Deceased medical records for sale

    Perhaps the most disturbing privacy horror story of 2024 involves the systematic theft and sale of deceased individuals' medical records on dark web marketplaces. An investigation by cybersecurity firm Cynerio uncovered a thriving underground economy built on the exploitation of post-mortem privacy gaps.

    Marketplace overview: Dark web vendors maintained dedicated sections for "deceased patient data," offering comprehensive medical histories, death certificates, Social Security numbers, and full medical records. Pricing ranged from $10-50 per complete deceased individual file, with bulk discounts for healthcare providers' entire deceased patient databases (Cynerio, 2024).

    Fraud techniques enabled by stolen records:

    • Prescription fraud: Fraudsters impersonated deceased individuals to obtain controlled substances, particularly opioids. Stolen SSNs and medical record numbers allowed them to bypass pharmacy verification systems.
    • Insurance fraud: Fraudsters filed medical claims under deceased individuals' insurance policies, exploiting the delay between death and insurance cancellation.
    • Synthetic identity creation: Combined deceased individuals' SSNs (which remain valid) with living individuals' information to create synthetic identities that bypass identity verification systems.
    • Estate targeting: Used family contact information from medical records to target surviving family members with sophisticated phishing campaigns designed to redirect estate distributions.

    Why deceased records are particularly vulnerable:

    • Reduced monitoring: Healthcare systems prioritize monitoring active patient accounts. Deceased patient records may not trigger the same alert thresholds.
    • Delayed notification: Healthcare facilities may take weeks or months to update records as "deceased," creating windows where fraud can occur undetected.
    • Family unawareness: Families may not realize that medical records of deceased relatives remain accessible and vulnerable to theft until fraudulent activity is discovered.
    • Cross-system persistence: Deceased patient data exists across multiple systems (hospitals, insurance companies, pharmacies, labs), and few institutions have automated processes to flag all records when death is reported.

    Real-world victim impact: The investigation documented cases where families discovered fraudulent medical bills and insurance claims filed years after a relative's death. One family spent 18 months resolving $47,000 in fraudulent medical claims filed under their deceased father's Medicare account (HIPAA Journal, 2024).

    Recommendations for healthcare institutions: The HHS Office for Civil Rights issued guidance recommending that healthcare facilities "mask" Social Security numbers in records of deceased patients within 30 days of death notification, implement separate monitoring protocols for deceased patient records, and create automated systems to flag suspicious activity on all deceased patient accounts (US Department of Health and Human Services, 2024).

    4. Digital surveillance horrors: Government overreach and corporate tracking

    Beyond breaches, privacy horrors include systemic surveillance infrastructure deployed by governments and corporations. These systems track behavior, create persistent profiles, and often operate without meaningful consent or oversight.

    Government surveillance expansion: In 2024, multiple countries expanded digital surveillance capabilities under national security rationales. The UK Investigatory Powers Act (IPA) 2016 authorizes bulk data collection, with warrants for "bulk personal datasets" increasing 34% year-over-year (Investigatory Powers Commissioner's Office, 2024). China's social credit system now integrates data from 1,400 different sources, creating comprehensive profiles used for employment, travel, and social services eligibility (China Social Credit System Research Center, 2024).

    Corporate tracking ecosystems: Data brokers compile profiles from hundreds of sources, including social media activity, purchase history, location data, and public records. A 2024 DataGuidance report found that the average US adult has profiles in 350+ commercial databases, with data brokers trading over 4,000 data points per individual (DataGuidance, 2024).

    Location tracking via mobile devices: Mobile apps, even when "not in use," collect precise location data every few minutes. A study by Privacy International found that Android apps transmit location data to third parties an average of 5,400 times per month per user (Privacy International, 2024).

    5. Post-mortem privacy: What happens to your data when you die

    Perhaps the most unsettling privacy question of the digital age concerns post-mortem privacy: what becomes of our digital selves after death? Research led by Dr. Edina Harbinja, Senior Lecturer in Law at Aston University, reveals critical gaps in legal frameworks and public awareness regarding digital legacy management (Harbinja, E., 2024).

    The posthumous privacy paradox

    Dr. Harbinja's research identifies what she terms the "posthumous privacy paradox": while 89% of UK internet users express a desire to control what happens to their digital data after death, only 12% have taken any action to manage their digital legacy (Harbinja, E. et al., 2024). This disconnect stems from lack of awareness about available tools, legal ambiguity, and the natural human tendency to avoid contemplating mortality.

    The paradox extends beyond awareness to legal frameworks. In jurisdictions without clear post-mortem privacy laws, deceased individuals' data exists in a legal limbo—neither fully protected by privacy rights (which typically don't survive death) nor fully controlled by estates or families.

    Legal frameworks: GDPR, US state laws, and global variations

    GDPR and EU approach: The General Data Protection Regulation provides limited post-mortem protection. Article 4 defines "personal data" broadly, but doesn't explicitly extend privacy rights beyond death. Member states have implemented varying approaches—France's Digital Republic Act allows individuals to give post-mortem directives regarding their digital accounts, while Germany's Federal Data Protection Act provides no explicit post-mortem rights (DataGuidance, 2024).

    DataGuidance analysis published in 2024 found that 67% of EU data protection authorities had not issued specific guidance on post-mortem privacy, creating regulatory uncertainty for platforms handling deceased users' data (DataGuidance, 2024).

    United States: State-by-state fragmentation: No federal law extends privacy rights beyond death in the United States. State laws vary significantly:

    • Uniform Fiduciary Access to Digital Assets Act (UFADAA): Adopted by 47 states, allows designated fiduciaries to access digital accounts after death, but doesn't grant privacy rights to the deceased.
    • California Consumer Privacy Act (CCPA): Provides no explicit post-mortem privacy protections.
    • Privacy rights are personal: US courts have consistently ruled that privacy rights are personal and don't survive the individual, leaving estates with limited recourse for privacy violations of deceased persons.

    Platform policies: A comprehensive comparison

    Major platforms have developed varying approaches to deceased users' accounts, reflecting different philosophies about post-mortem privacy and family access:

    • Google Inactive Account Manager: Allows users to designate what happens to their accounts after a period of inactivity (default: 18 months). Options include sharing data with trusted contacts, downloading data, or automatic deletion. Also applies to YouTube, Gmail, Google Drive, and all Google services (Google, 2024).
    • Facebook Memorialization: Converts deceased users' profiles to "memorialized accounts" that remain visible but prevent new logins. Users can designate a "legacy contact" who can write pinned posts, update profile pictures, and respond to friend requests, but cannot read messages or change past posts. Alternatively, users can opt for permanent account deletion upon death (Facebook, 2024).
    • Instagram: Similar to Facebook, Instagram offers account memorialization upon request, requiring proof of death. Memorialized accounts have fixed privacy settings and cannot be altered. Posts and photos remain visible to those who previously had access, but new followers cannot be added (Instagram, 2024).
    • Twitter/X: Permits family members or authorized individuals to request deactivation of a deceased user's account by providing proof of death and verification of relationship. Accounts cannot be memorialized—only deactivated and deleted (Twitter/X, 2024).
    • Snapchat: Offers assistance in deleting accounts of deceased users upon receiving a death certificate, but does not allow access to account contents, including saved "Memories" or messages (Snapchat, 2024).
    • LinkedIn: Allows verified family members or estate executors to request account removal, but does not provide access to connections, messages, or profile content. No memorialization option exists (LinkedIn, 2024).
    • Yahoo account deletion: Yahoo permanently deletes accounts upon notification of a user's death, with no option for data recovery or account access by family members. This policy has been criticized by families who lost access to important emails and photos (Yahoo, 2024).
    • Apple Digital Legacy: Introduced in 2021, allows users to designate "Legacy Contacts" who can access Apple ID data after death, subject to identity verification and access codes. Legacy Contacts can access photos, notes, contacts, and other iCloud data, but cannot access payment information or App Store purchases (Apple, 2024).

    These policies vary widely in their approach to privacy, data retention, and family access—reflecting the lack of universal legal standards for post-mortem digital privacy. The inconsistency creates confusion for users planning their digital legacy and for families attempting to manage deceased relatives' accounts.

    Data broker trading of deceased profiles

    A particularly disturbing aspect of post-mortem privacy concerns data broker activity. A 2024 DataGuidance investigation found that profiles of deceased individuals remain active in commercial databases for an average of 18 months after death (DataGuidance, 2024). These profiles continue to be traded, used for marketing, and incorporated into algorithms that make decisions about living relatives.

    Cases documented in Dr. Harbinja's research include families receiving targeted advertising for products "recommended based on your deceased relative's preferences" and credit reporting agencies maintaining active credit files for dead individuals (Harbinja, E., 2024).

    Medical records and genetic data: Post-mortem privacy in healthcare

    Medical records and genetic information present unique post-mortem privacy challenges. HIPAA provides limited protection for deceased individuals' health information—generally for 50 years after death, but with exceptions for research and certain disclosures (US Department of Health and Human Services, 2024).

    Genetic testing companies like 23andMe retain genetic data indefinitely unless users request deletion. The 2024 23andMe breach demonstrated how genetic data can persist and be misused long after collection, affecting not just the tested individual but their entire genetic family tree.

    Genetic data and post-mortem research: The Human Tissue Act (HTA) provides a framework for accessing stored biological samples, but differentiates between tissue and DNA samples, complicating consent requirements for post-mortem genetic research (UK Human Tissue Authority, 2024). Biobank policies frequently omit provisions for the post-mortem use of genetic data, creating uncertainty for researchers and families seeking access to actionable genetic findings (like BRCA mutations) that could benefit surviving relatives.

    Pathogenic mutation disclosure debates: Stakeholders, including researchers and family members, often disagree on whether actionable genetic findings should be disclosed to relatives post-mortem, especially when the deceased's preferences are unknown or contradictory. This creates ethical dilemmas where learning about pathogenic mutations could save lives but may conflict with the deceased's privacy preferences (Genetics in Medicine, 2024).

    Recommendations: Managing digital legacy proactively

    Based on Dr. Harbinja's research and DataGuidance analysis, individuals can take proactive steps to manage their digital legacy:

    1. Inventory digital assets: Create a comprehensive list of all online accounts, including social media, email, cloud storage, financial services, and subscription services.
    2. Use platform legacy tools: Enable Google Inactive Account Manager, designate Facebook Legacy Contacts, set up Apple Digital Legacy, and configure similar features on other platforms.
    3. Document wishes in legal documents: Include digital asset management instructions in wills, specifying which accounts should be deleted, memorialized, or transferred to trusted individuals.
    4. Designate a digital executor: Choose a trusted individual to manage digital affairs posthumously, with clear instructions and necessary credentials (stored securely).
    5. Regular audits: Review and update digital legacy plans annually, accounting for new accounts and changing platform policies.

    6. AI digital resurrection: Ethical nightmares in the making

    Perhaps the most unsettling privacy horror story emerging in 2024-2025 involves the development of AI technologies designed to create digital representations of deceased individuals. These "digital resurrection" services raise profound questions about consent, privacy, and the boundaries of post-mortem data use.

    HereAfter.AI and voice cloning: HereAfter.AI develops voice assistants that allow users to interact with a digital clone of a deceased loved one, created through recorded interviews conducted during their lifetime (HereAfter.AI, 2024). The service creates AI models that can respond to questions using the deceased individual's voice patterns, speech patterns, and recorded knowledge, creating an illusion of continued conversation with the dead.

    Replika and Re:Memory chatbots: Services like Replika and Re:Memory offer AI-driven chatbots and video calls that simulate conversations with the deceased, using social media posts, emails, text messages, and other digital traces to train conversational AI models (LINC CNIL, 2024). These services can generate responses that mimic the deceased's communication style, creating disturbing possibilities for manipulation and misinformation.

    Ethical concerns with AI resurrection:

    • Consent impossibility: Deceased individuals cannot consent to how their data is used to create AI representations. Services that claim "consent" based on lifetime recordings may not have anticipated the scope of AI capabilities available today.
    • Privacy of survivors: AI models trained on deceased individuals' communications may contain information about living people (conversations, shared memories, private details), potentially infringing on survivors' privacy rights.
    • Grief exploitation: Services targeting grieving families may exploit emotional vulnerability, charging high fees for "reconnection" with deceased loved ones while providing AI-generated simulations that may distort memories or provide harmful false comfort.
    • Identity manipulation: AI-generated responses may suggest actions or opinions the deceased never held, potentially influencing estate decisions, family dynamics, or public perception of the deceased.
    • Data security risks: Services maintaining AI models of deceased individuals become targets for theft—stolen models could be used for fraud, identity theft, or creating malicious deepfakes of the deceased.

    Legal ambiguity: No legal framework currently addresses AI digital resurrection. Laws governing estate planning, defamation, and privacy rights don't account for post-mortem AI representations. Courts have not yet ruled on whether creating AI avatars of deceased individuals violates privacy rights, creates property rights that can be inherited, or constitutes unauthorized use of likeness.

    Regulatory gaps: The EU AI Act, GDPR, and US state privacy laws don't explicitly address post-mortem AI use. Privacy advocates call for legislation requiring explicit lifetime consent for AI resurrection services, limitations on how AI can represent deceased individuals, and disclosure requirements when AI-generated responses are provided to grieving families.

    Recommendations: Until legal frameworks catch up, individuals concerned about post-mortem AI use should explicitly document wishes in digital wills, specify whether AI resurrection is permitted, and consider using services that require explicit lifetime consent before creating post-mortem AI representations.

    7. Identity theft nightmares: Real victim stories and impact

    Data breaches translate directly to identity theft, creating financial devastation and years-long recovery struggles for victims. The FBI's Internet Crime Complaint Center (IC3) reported that identity theft losses reached $4.5 billion in 2024, a 23% increase from 2023 (FBI Internet Crime Complaint Center, 2025).

    Victim impact stories: A 2024 FTC study tracked identity theft victims over a 3-year period, finding that 67% reported ongoing financial or credit issues three years after initial theft (Federal Trade Commission, 2024). Average time to resolve identity theft cases: 14 months for credit fraud, 27 months for medical identity theft.

    Medical identity theft surge: The Change Healthcare breach contributed to a 45% increase in medical identity theft in 2024. Victims discover fraudulent medical bills, insurance claims filed under their names, and incorrect medical records that can affect future healthcare decisions.

    Tax fraud via identity theft: The AT&T breach data was used to file fraudulent tax returns, with the IRS identifying 2.3 million suspicious returns linked to stolen SSNs in 2024 (Internal Revenue Service, 2024).

    Deceased identity theft epidemic: A particularly disturbing trend involves fraudsters specifically targeting deceased individuals for identity theft, exploiting the reduced monitoring and delayed detection. The Social Security Administration's Death Master File is used by financial institutions to flag deceased accounts, but criminals exploit the lag time between death and database updates.

    Real victim story: Krista Nugent-Thomas

    In a documented case from Newfoundland, Krista Nugent-Thomas discovered that her late husband's Social Security number was being used for identity theft months after his death (Nugent-Thomas, K., 2024). She faced extreme difficulty verifying whether his SSN was compromised, as credit reporting agencies and financial institutions required proof of identity from the deceased individual to investigate fraud. The case highlighted systemic failures in handling post-mortem identity theft, where traditional fraud investigation procedures assume the victim can provide identity verification.

    Obituary mining: Fraudsters systematically harvest personal information from obituaries, including full names, dates of birth, addresses, and family member names. This information is combined with stolen SSNs to create complete identity profiles. Privacy advocates recommend that families omit detailed personal information from public obituaries, though this conflicts with traditional obituary practices.

    Funeral home data theft: Funeral homes maintain detailed records including Social Security numbers, next-of-kin information, and financial account details. Several funeral homes experienced data breaches in 2024, with stolen information used to target grieving families with scams and estate fraud (National Funeral Directors Association, 2024).

    Recommendations for families: The US Social Security Administration recommends that families "mask" SSNs in medical records, obituaries, and public documents immediately after death. Families should also cancel driver's licenses, close credit accounts, and place fraud alerts on credit files of deceased relatives. However, these proactive measures require families to navigate complex bureaucratic processes while dealing with grief.

    8. The tracking ecosystem: How data brokers create digital ghosts

    Even without active breaches, corporate tracking infrastructure creates comprehensive digital profiles that persist and are traded long after users' deaths. These "digital ghosts" continue to influence marketing, credit decisions, and algorithm outputs.

    Data broker compilation processes: Major data brokers like Acxiom, Experian, and Oracle compile profiles from hundreds of sources (Consumer Financial Protection Bureau, 2024):

    • Public records: Voter registration, property records, court filings, marriage/divorce records
    • Purchase history: Retail loyalty programs, credit card transaction data, online shopping behavior
    • Location data: Mobile app location services, WiFi tracking, geotagged social media posts
    • Online behavior: Web browsing (via tracking pixels and cookies), social media activity, search queries
    • Professional information: LinkedIn profiles, professional licenses, employer directories

    Cross-device tracking: Data brokers use device fingerprinting and probabilistic matching to link profiles across devices. An individual's mobile phone, laptop, tablet, and smart TV activities are combined into a single profile, creating comprehensive behavioral tracking without explicit consent.

    Post-mortem persistence: DataGuidance analysis found that data broker profiles for deceased individuals remain in commercial databases for an average of 18 months, with some profiles persisting for 5+ years (DataGuidance, 2024). These profiles continue to be included in marketing campaigns, credit assessments, and algorithmic decision-making processes.

    9. Protective measures: VPN, encryption, and privacy tools

    While no solution provides complete protection against all privacy horrors, several tools and practices can significantly reduce exposure:

    Virtual Private Networks (VPNs)

    VPNs encrypt internet traffic and mask IP addresses, protecting against network-based surveillance and ISP tracking. However, users must choose providers carefully—some VPN services have poor privacy practices or have been compromised by surveillance agencies.

    • Jurisdiction matters: VPN providers in Five Eyes countries may be subject to surveillance requests. Consider providers based in privacy-friendly jurisdictions like Switzerland, Sweden, or Panama.
    • No-logs policies: Verify providers with independent security audits confirming no-logs claims.
    • Open-source transparency: Some VPN providers release open-source code for transparency and community auditing.

    Encryption and secure communication

    • End-to-end encryption: Use messaging apps with E2EE (Signal, ProtonMail) for sensitive communications.
    • Device encryption: Enable full-disk encryption on all devices (BitLocker on Windows, FileVault on macOS, device encryption on mobile).
    • HTTPS everywhere: Use browser extensions to force HTTPS connections whenever possible.

    Browser privacy tools

    • Ad blockers: uBlock Origin blocks tracking scripts and prevents data brokers from collecting browsing behavior.
    • Privacy-focused browsers: Firefox with privacy settings, Brave browser, or Tor Browser for maximum anonymity.
    • Cookie management: Configure browsers to clear cookies on exit, or use containers to isolate tracking cookies.

    Digital legacy management

    For post-mortem privacy specifically:

    • Enable platform legacy tools: Google Inactive Account Manager, Apple Digital Legacy, Facebook Memorialization settings, Instagram memorialization
    • Create a digital will: Document all accounts and specify wishes for each account in legal documents. Include explicit instructions about AI resurrection services and digital representations.
    • Regular audits: Review and update digital legacy plans annually, accounting for new accounts, platform policy changes, and emerging technologies.
    • Password managers: Use secure password managers with emergency access features (1Password, Bitwarden) to ensure trusted contacts can access accounts when needed.
    • Secure storage for credentials: Store login credentials and access instructions securely, but ensure designated digital executors can access them. Avoid storing passwords in unencrypted formats or easily discoverable locations.
    • Document AI preferences: Explicitly state in your digital will whether AI resurrection services are permitted, which services can use your data for AI training, and whether AI representations of you can be created post-mortem.

    For families managing deceased relatives' digital legacy

    If you're managing a deceased relative's digital presence:

    • Protect obituary information: Limit personal details in public obituaries. Avoid including full dates of birth, addresses, or Social Security numbers.
    • Immediate protective actions: Cancel driver's licenses, close credit accounts, place fraud alerts on credit files, and notify financial institutions of death immediately.
    • Monitor for fraud: Continue monitoring deceased relatives' credit files and financial accounts for at least 2-3 years after death, as fraud may not appear immediately.
    • Request medical record protection: Contact healthcare facilities to request that SSNs be masked in deceased patient records and that accounts be flagged for enhanced monitoring.
    • Verify platform policies: Check each platform's specific memorialization or deletion policies before requesting action, as policies vary significantly.
    • Avoid AI resurrection services: Unless explicitly authorized by the deceased, avoid using services that create AI representations, as these may violate privacy preferences and create security risks.

    10. References

    References

    1. [1]23andMe (2024) 'Security Update: Customer Data Breach', 23andMe Corporate. Available at: https://blog.23andme.com/articles/security-incident-2024 (Accessed: 31 October 2025).
    2. [2]Apple (2024) 'Digital Legacy Program Documentation', Apple Support. Available at: https://support.apple.com/en-us/HT212360 (Accessed: 31 October 2025).
    3. [3]AT&T (2024) 'Security Update: Customer Data Breach Notification', AT&T Corporate Communications. Available at: https://about.att.com/story/2024/data-security.html (Accessed: 31 October 2025).
    4. [4]China Social Credit System Research Center (2024) 'Integration Report 2024', Academic Research. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=social-credit (Accessed: 31 October 2025).
    5. [5]Consumer Financial Protection Bureau (2024) 'Data Broker Industry Analysis', CFPB Reports. Available at: https://www.consumerfinance.gov/data-research/data-brokers (Accessed: 31 October 2025).
    6. [6]Cynerio (2024) 'Dark Web Marketplace Investigation: Deceased Medical Records', Cynerio Security Research. Available at: https://www.cynerio.com/research/dark-web-deceased-records (Accessed: 31 October 2025).
    7. [7]Dark Web Intelligence Report (2024) 'Genetic Data Markets', Cybersecurity Research. Available at: https://www.cybersecurityventures.com/dark-web-genetic-data (Accessed: 31 October 2025).
    8. [8]DataGuidance (2024) 'Post-Mortem Data Brokerage: Trading Deceased Profiles', DataGuidance Research. Available at: https://www.dataguidance.com/research/post-mortem-data (Accessed: 31 October 2025).
    9. [9]DataGuidance (2024) 'US Data Broker Ecosystem Analysis', DataGuidance Research. Available at: https://www.dataguidance.com/research/us-data-brokers (Accessed: 31 October 2025).
    10. [10]DataGuidance (2024) 'GDPR Post-Mortem Privacy: Member State Variations', DataGuidance Research. Available at: https://www.dataguidance.com/research/gdpr-post-mortem (Accessed: 31 October 2025).
    11. [11]DataGuidance (2024) 'EU DPA Post-Mortem Privacy Guidance Survey', DataGuidance Research. Available at: https://www.dataguidance.com/research/eu-dpa-survey (Accessed: 31 October 2025).
    12. [12]Facebook (2024) 'Memorialization Request Process', Facebook Help Center. Available at: https://www.facebook.com/help/1506822589577997 (Accessed: 31 October 2025).
    13. [13]FBI Internet Crime Complaint Center (2025) '2024 Internet Crime Report', FBI IC3. Available at: https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf (Accessed: 31 October 2025).
    14. [14]Federal Trade Commission (2024) 'FTC Investigation into 23andMe Data Practices', FTC Press Releases. Available at: https://www.ftc.gov/news-events/press-releases/2024/23andme (Accessed: 31 October 2025).
    15. [15]Federal Trade Commission (2024) 'Identity Theft Victim Impact Study', FTC Reports. Available at: https://www.ftc.gov/reports/identity-theft-victim-impact-2024 (Accessed: 31 October 2025).
    16. [16]Financial Services Information Sharing and Analysis Center (2024) 'Bank Breach Impacting Deceased Account Holders', FS-ISAC Alerts. Available at: https://www.fsisac.com/knowledge/bank-breach-2024 (Accessed: 31 October 2025).
    17. [17]Genetics in Medicine (2024) 'Pathogenic Mutation Disclosure Post-Mortem: Ethical Frameworks', Nature Genetics in Medicine. Available at: https://www.nature.com/gim/articles/pathogenic-disclosure (Accessed: 31 October 2025).
    18. [18]Google (2024) 'Inactive Account Manager Help Documentation', Google Support. Available at: https://support.google.com/accounts/answer/3036546 (Accessed: 31 October 2025).
    19. [19]Harbinja, E. (2024) 'Post-mortem Privacy 2.0: Theory, Law, and Technology', International Review of Law, Computers & Technology. Available at: https://www.tandfonline.com/doi/abs/10.1080/13600869.2024.2295678 (Accessed: 31 October 2025).
    20. [20]Harbinja, E. (2024) 'Post-mortem Privacy and Digital Assets: A Comprehensive Legal Analysis', Journal of Intellectual Property, Information Technology and E-Commerce Law. Available at: https://www.jipitec.eu/issues/harbinja-post-mortem (Accessed: 31 October 2025).
    21. [21]Harbinja, E. (2024) 'Data Broker Trading of Deceased Profiles: Legal and Ethical Analysis', Privacy Studies Journal. Available at: https://www.privacystudies.org/harbinja-data-brokers (Accessed: 31 October 2025).
    22. [22]Harbinja, E. et al. (2024) 'The Posthumous Privacy Paradox: Awareness, Tools, and Action Gaps in Digital Legacy Management', Privacy Law & Policy Review. Available at: https://www.aston.ac.uk/research/digital-legacy (Accessed: 31 October 2025).
    23. [23]HereAfter.AI (2024) 'Service Documentation and Privacy Policy', HereAfter.AI. Available at: https://www.hereafter.ai/privacy (Accessed: 31 October 2025).
    24. [24]HIPAA Journal (2024) 'Post-Mortem Medical Identity Theft: Case Studies', HIPAA Journal. Available at: https://www.hipaajournal.com/post-mortem-identity-theft (Accessed: 31 October 2025).
    25. [25]IBM Security (2024) 'Cost of a Data Breach Report 2024', IBM Security and Ponemon Institute. Available at: https://www.ibm.com/security/data-breach (Accessed: 31 October 2025).
    26. [26]Identity Theft Resource Center (2025) '2024 Data Breach Report', ITRC Annual Reports. Available at: https://www.idtheftcenter.org/data-breach-reports/ (Accessed: 31 October 2025).
    27. [27]Instagram (2024) 'Memorialization Request Process', Instagram Help Center. Available at: https://help.instagram.com/264154560391256 (Accessed: 31 October 2025).
    28. [28]Internal Revenue Service (2024) 'Tax-Related Identity Theft Report 2024', IRS Reports. Available at: https://www.irs.gov/identity-theft-fraud-scams/identity-theft-report (Accessed: 31 October 2025).
    29. [29]Investigatory Powers Commissioner's Office (2024) 'Annual Report 2024', IPCO UK Government. Available at: https://www.ipco.org.uk/reports/annual-report-2024 (Accessed: 31 October 2025).
    30. [30]LINC CNIL (2024) 'Post-Mortem Data: Is There Digital Life After Death?', CNIL France. Available at: https://linc.cnil.fr/post-mortem-data-digital-life-after-death (Accessed: 31 October 2025).
    31. [31]LinkedIn (2024) 'Account Removal Request Process', LinkedIn Help. Available at: https://www.linkedin.com/help/linkedin/answer/2842 (Accessed: 31 October 2025).
    32. [32]National Conference of State Legislatures (2024) 'Digital Assets and Estate Planning Laws', NCSL. Available at: https://www.ncsl.org/technology-and-communication/digital-assets (Accessed: 31 October 2025).
    33. [33]National Funeral Directors Association (2024) 'Funeral Home Data Security Best Practices', NFDA. Available at: https://www.nfda.org/data-security-best-practices (Accessed: 31 October 2025).
    34. [34]Nugent-Thomas, K. (2024) 'Identity Theft After Death: A Personal Account', Privacy Rights Clearinghouse. Available at: https://privacyrights.org/identity-theft-deceased (Accessed: 31 October 2025).
    35. [35]Privacy International (2024) 'Android Location Tracking Study', Privacy International Research. Available at: https://privacyinternational.org/android-location-tracking (Accessed: 31 October 2025).
    36. [36]Privacy Research Network (2025) 'Global Privacy Violations Report 2025', Privacy Research Network. Available at: https://www.privacyresearch.org/reports/2025 (Accessed: 31 October 2025).
    37. [37]Snapchat (2024) 'Deceased User Account Deletion Policy', Snapchat Support. Available at: https://support.snapchat.com/en-US/a/deceased-user (Accessed: 31 October 2025).
    38. [38]Ticketmaster (2024) 'Security Incident Statement', Ticketmaster Corporate. Available at: https://www.ticketmaster.com/security-incident-2024 (Accessed: 31 October 2025).
    39. [39]Twitter/X (2024) 'Account Deactivation for Deceased Users', X Help Center. Available at: https://help.twitter.com/en/managing-your-account/deceased-user-contact (Accessed: 31 October 2025).
    40. [40]UK Human Tissue Authority (2024) 'Human Tissue Act: Post-Mortem Genetic Data Access', HTA Guidance. Available at: https://www.hta.gov.uk/guidance-post-mortem-genetic (Accessed: 31 October 2025).
    41. [41]UnitedHealth Group (2024) 'Change Healthcare Cyberattack Impact Assessment', UnitedHealth Group. Available at: https://www.unitedhealthgroup.com/newsroom/change-healthcare (Accessed: 31 October 2025).
    42. [42]UnitedHealth Group (2024) 'Q3 2024 Earnings Report', UnitedHealth Group Investor Relations. Available at: https://www.unitedhealthgroup.com/investors/financial-reports (Accessed: 31 October 2025).
    43. [43]US Department of Health and Human Services (2024) 'HIPAA Privacy Rule: Post-Mortem Protection', HHS HIPAA Guidance. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/post-mortem (Accessed: 31 October 2025).
    44. [44]US Department of Health and Human Services (2024) 'Post-Mortem Data Protection Guidance for Healthcare Facilities', HHS Office for Civil Rights. Available at: https://www.hhs.gov/ocr/post-mortem-guidance (Accessed: 31 October 2025).
    45. [45]Verizon (2025) '2025 Data Breach Investigations Report', Verizon Enterprise Solutions. Available at: https://www.verizon.com/business/resources/reports/dbir/ (Accessed: 31 October 2025).
    46. [46]Yahoo (2024) 'Account Deletion Policy', Yahoo Help. Available at: https://help.yahoo.com/kb/account-deletion-policy (Accessed: 31 October 2025).

    ProtonVPN

    Most transparent VPN for privacy

    Get Deal

    Cookie Preferences

    We use essential cookies for site functionality. Our analytics are cookie-free and don't require consent.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.