Revised – April 17, 2024

What to know about medical identity theft

Medical identity theft (ID) has become one of the fastest growing forms of identity theft in the United States. 

Fueling this rise is the increased digitization of medical records and the rise of the value of these records on the black market. Medical ID theft is often underreported and reported long after the event because people don’t recognize a problem until there is an issue with a medical bill or record.

Let’s take a deeper dive into what’s going on and provide some tips and information on how to protect yourself and your personal information.

What is Medical Identity Theft?

Medical identity theft takes place when someone uses your personal information to steal medical services, goods and prescription drugs. This can range from simple doctors’ office visits, the wheelchairs and durable medical equipment, all the way up to surgeries.

Personal information can be a Social Security number, your address, a Medicare or Medicaid card, your Personally Identifiable Information from a current private health plan or any other number of related healthcare data or prescription histories.

Your medical identity information is a valuable commodity that can be used to falsify insurance claims or acquire government medical services, including Medicare and Medicaid.  Some people will steal your medical information and sell it on the black market, creating new identities for other people using your personal data.

A lost wallet or a stolen purse can lead to years of misery, even if you file a police report and cancel all your credit cards and health accounts.  Often, victims are unaware for many years that medical identity theft has occurred. It’s not uncommon that people find out when their credit report takes a significant hit, or they are turned down for new credit because they were unaware that someone else was running up medical bills in their name. 

There are some cases where medical identity theft also takes place knowingly when people share their medical coverage with uninsured friends or family members. As you can guess, this is absolutely against the law. 

Health professionals are also part of the problem. There are numerous instances of doctors and medical offices using a patient’s health information without their knowledge to submit fraudulent bills to insurance companies. It’s possible to rack up hundreds of thousands of dollars of fraudulent charges before perpetrators are caught, if ever. 

Why is medical identity theft on the rise?

As the medical industry has migrated to electronic records, access to services and records are available online, making some an easy target for sophisticated thieves. One of the most notable instances of medical identity theft took place a few years ago when thieves stole 70 million records from the health insurer Anthem.  

The unintended fallout from this is that when someone else uses your medical information, it can create serious medical record problems. According to the Medical Identity Fraud Alliance, as many as 20 percent of medical identity theft victims are given the wrong diagnosis or treatment, or that their care is delayed due to confusion about their medical records. 

Another reason it’s on the rise is that the cost of medical services is on the rise. Healthcare costs have become a major flashpoint of public debate, fueled by increased costs that consumers must pay for coverage and treatment. 

Some other types of financial identity theft are protected under the Fair Credit Billing Act. For example, if someone uses your credit card without authorization, you are liable for only $50 of unauthorized charges when you follow appropriate notification steps. 

That’s not the case with losses resulting from medical identity theft. According to one study, almost two-thirds of victims had to pay an average of more than $13,000 (including attorney’s fees) to resolve their cases. 

Is medical identity theft an increasing problem?

One estimate from an article by Allstate Insurance puts the total estimated economic impact of medical identity theft in the U.S. at more than $41 billion annually. 

Additionally, the Allstate article reported that the healthcare industry is the only industry where insiders pose the greater threat. Employees caused 56 percent of the breaches, while external actors caused 44 percent, according to Allstate. Surprisingly, the article went on to state that many of the internal breaches are healthcare staff unintentionally revealing employee or patient data. This portion of the problem accounts for more than one-third of all-healthcare-related data breaches, according to Allstate.

Another reason medical identity theft is on the rise is that trafficking in stolen medical information is lucrative. Many sources report that medical records can sell for 10 times or more than credit or debit card records, sometimes reaching $1,000 or more per record.

The problem for healthcare providers is that while they want a secure environment for medical records and personal information, it’s also critical for doctors to be able to readily access and share health-related information to provide timely diagnosis and treatment for patients. This is especially true in an emergency.

Am I in a high risk group for medical identity theft?

Medical identity theft occurs at an alarming rate each year and, no surprise, older adults and those on Medicare are primary targets. Thieves will steal medical information, their Medicare numbers and Social Security numbers. Studies have shown that older adults are more susceptible because they are less suspicious about giving up personal health information. 

Children’s records are also a big target. A minor’s credit report is generally not tracked by parents until the child gets credit in his or her name. Until then, the thieves can rack up bills and create a long list of unpaid debts that will go unnoticed, sometimes for years. 

Other susceptible groups include people with chronic conditions such as cancer or diabetes.  That’s because the more interactions a patient has with a healthcare provider, the more opportunities there are for their records to be accessed and stolen.  

Heavy users of social media can also be at risk as well. It is not uncommon for a heavy user of social media to post personal information. This can unlock the door to a knowledgeable thief.

How is new technology impacting medical identity theft?

We can hardly keep up with the new tricks thieves are playing using new technology. Here are a few:

• Artificial Intelligence and Machine Learning. Is there a day that goes by without some mention of AI? Well, it has hit the healthcare industry in a big way. These new technologies can sift through vast amounts of data in seconds, exposing vulnerabilities in systems and stealing millions of records with precision we have never seen before. Traditional cybersecurity defenses are struggling to keep up with the bad guys.
• Social Engineering. Phishing remains one of the most prevalent tactics employed by identity thieves. In healthcare settings, phishing emails may masquerade as legitimate communications from healthcare providers or insurance companies, enticing recipients to click on malicious links or disclose personal data. There is also pretexting, which involves the use of deceptive tactics to manipulate individuals into divulging confidential information. Pretexting may involve impersonating healthcare professionals or representatives from healthcare organizations to elicit sensitive patient data from unsuspecting victims.

The next section provides tips on how you can fight back. 

How to protect yourself from identity thieves

There are several things you can do to protect yourself against medical identity theft:

• Review All Medical Bills. Review the explanation of benefits (EOB) from your insurer to see if there are any listings for office visits you did not make or medical treatments you did not receive. Challenge any bill you get for treatment you did not receive.
• Shred Sensitive Information. This includes outdated insurance forms, physician statements, prescription paperwork and other documentation containing your medical information. It’s not enough to simply throw it away. 
• Check Free Credit Reports. Do this at least once a year, more often if you use medical providers frequently. Be on the lookout for health care expenses you don’t recognize. You can get one free report every 12 months from Experian, Equifax and TransUnion.
• Know Your Rights Under HIPAA. You have the right to an accounting of disclosures.  It is a record of disclosures of personal health information made by health care providers or insurers. The record shows what, when and why the information was disclosed, and the recipient of the information.
• Protect Your Information. Do not give out any medical care personal information over the phone from someone claiming to be with your insurance provider or Medicare. You may also be induced to give out your contact information in exchange for free introductory medical services or products. If you lose your Medical ID card or someone steals it, contact providers immediately so it can be canceled and a new one issued.
• Keep Good Records. This includes doctors’ appointments, prescriptions and medical procedures. This will make it easier for you to dispute any errors or identity theft-related issues.
• Annual Information Checkup. At least once a year ask your insurer for a full list of benefits paid in your name.
• Get Identity Theft Protection. These services can monitor your personal information, including medical data. When a red flag pops up, you’re notified so that you can minimize or stop any thefts from taking place. 
• Leverage Professional Services. Enlist the services of reputable providers like SDD  of St. Louis that offer on-site Medicare records shredding services or HIPAA compliant shredding services. 

What to do if someone is using your medical information

If you are the victim of a large breach of medical records, you will be notified by the provider that there was a breach, and they will detail what actions you can take to make sure you are not personally a victim. 

If you suspect you are a victim of medical identity theft, start by contacting your healthcare provider to see if a mistake has been made. You can also report the breach to the Federal Trade Commission at IdentityTheft.gov.

You should also file a police report where you live.  Give a copy of the police report to your medical providers, credit bureaus and insurance companies.

If you are a Medicare recipient, report questionable charges by calling 1-800-MEDICARE or contact the Senior Medicare Patrol for assistance at 1-877-808-2468.

If you suspect Medicare fraud, contact the U.S. Department of Health and Human Services Office of the Inspector General Fraud Hotline at 1-800-HHS-TIPS. 

Consider submitting an identity theft report to the Federal Trade Commission (FTC). Doing so will help show parties evaluating your identity theft claims that your theft is real. In some cases, creditors or billing departments may require a police report before erasing fraudulent charges from your accounts.

Also, get copies of the medical files related to the theft and take steps quickly to correct mistakes and stop further use of your information.

Here are a couple more resources:

• If a health care provider has not allowed you to see your medical records, file a complaint with the Office of Civil Rights at Health and Human Services by calling 1-800-368-1019. 
• You might also contact a consumer watchdog organization like the Identity Theft Resource Center for additional information and help.

In conclusion, identity theft is all around us. Your best protection is paying attention to the details of your healthcare treatment.