At what level do you think American PII protection is working?

I can't go to a dentist/medical/eye appointment without the office staff looking me up or adding to some kind of unethical dark web profile.

Maybe the data at rest is secure but it doesn't really matter when the staff is leaking all the data as it is getting stored in their systems.