Identitytheft.org is a privately owned website and is not associated with any government agencies.

What is Medical Identity Theft? How it Occurs and Prevention

Medical identity theft occurs when someone uses your personal information to receive medical treatment or to obtain prescription drugs, without your knowledge or consent. This type of identity theft can be especially dangerous because it can result in the contamination of your medical records, which can lead to misdiagnosis or incorrect treatment.

How Does Medical Identity Theft Occur?

Medical identity theft can happen in a variety of ways. Here are some common methods used by identity thieves to steal medical identities:

  • Stealing Physical Medical Documents: An identity thief may steal your physical medical documents, such as medical records, insurance statements, or bills, from your home, workplace, or trash.
  • Hacking into Medical Systems: Identity thieves can also hack into medical systems, such as hospitals or clinics, to access sensitive medical records and personal information.
  • Phishing Scams: Phishing scams are a common tactic used by identity thieves to trick people into giving away their personal information. The scammer may pose as a healthcare provider or insurance company and ask for personal information.
  • Using Stolen Personal Information: If an identity thief has already stolen your personal information, such as your social security number or date of birth, they can use that information to open up a fraudulent medical account in your name.
  • Employee Theft: Sometimes, medical identity theft can occur due to employee theft. A healthcare employee may use their access to medical records to steal patient information for their own gain.

One primary method is through data breaches of healthcare providers’ or insurers’ electronic systems. Hackers target these organizations for the rich personal and medical information they hold. They might use malware, phishing attacks, or exploit vulnerabilities in the security software to gain unauthorized access to the systems. Once inside, they can exfiltrate personal data of patients or insurance members.

Phishing attacks are also common, where attackers masquerade as legitimate entities, such as a health insurance provider or a medical institution, to trick individuals into providing their personal information. They might send emails or text messages that urge the recipient to click on a malicious link or attachment, leading to the theft of personal information.

Another vector is through insider threats, where employees of healthcare institutions misuse their access to patient records for personal gain or out of malice. These individuals might sell personal information on the dark web or use it themselves to commit fraud.

Physical theft of documents or devices is another way medical identity theft occurs. Thieves might steal laptops, hard drives, or paper records containing sensitive patient information from healthcare facilities. Even discarded documents not properly disposed of can become a source of information for identity thieves.

Social engineering techniques are also employed, where thieves manipulate individuals or healthcare staff into divulging confidential information. This could be done over the phone, in person, or through impersonation tactics.

The Federal Trade Commission Receives Over 28,000 Reports of Medical Identity Theft Every Year.

Detecting Medical Identity Theft

Detecting medical identity theft can be challenging, but there are several signs that you can look for:

  • Check Your Explanation of Benefits (EOB) Statements: Review your EOB statements from your insurance provider carefully. Look for any medical services that you did not receive or any charges that you don’t recognize.
  • Check Your Medical Bills: Review your medical bills for any services that you did not receive or any charges that you don’t recognize. If you receive a bill for medical services that you did not receive, contact your healthcare provider and insurance company immediately.
  • Monitor Your Credit Reports: Regularly monitor your credit reports to ensure that there are no unauthorized accounts or charges.
  • Review Your Medical Records: Request a copy of your medical records from your healthcare provider and review them for any medical conditions or treatments that you did not receive.
  • Be Aware of Unsolicited Health Services: Be cautious of unsolicited calls or emails offering free health services or products, as they may be a sign of medical identity theft.

Regularly reviewing medical statements and insurance explanation of benefits (EOB) statements is crucial. Look for charges for services not received, unfamiliar providers, or discrepancies in service dates. These documents often provide the first clues to unauthorized use of medical information.

Monitoring credit reports for unexpected medical billing entries can also reveal identity theft. Credit reports may list debt collections for medical services the victim did not undergo, indicating someone else has incurred charges in their name.

Patients should be alert to receiving a notice from their health insurance provider about reaching their benefit limit, which could suggest that someone else has been using their benefits. Similarly, being denied insurance because medical records show a condition the patient does not have can be a sign of medical identity theft.

Using advanced security software that includes identity theft protection features can help individuals detect unauthorized activities involving their personal information. These tools often provide real-time alerts if someone attempts to use the individual’s information to apply for credit or services in their name.

Healthcare providers can employ sophisticated anomaly detection systems in their IT infrastructure to identify unusual access patterns or unauthorized access attempts to patient records. These systems use machine learning algorithms to learn normal access patterns and flag deviations, potentially indicating insider threats or external breaches.

Implementing strong authentication measures and access controls within healthcare and insurance IT systems helps in early detection of unauthorized access attempts, minimizing the risk of data breaches that lead to medical identity theft.

Engagement in healthcare decisions and communication with providers is also essential. Patients should feel empowered to question their care providers about the security of their medical information and the steps taken to protect it.

In the event of receiving bills for medical services not received, it’s important to act immediately by contacting the provider and insurance company to dispute the charges and report the possibility of identity theft.

Awareness and education about phishing schemes and other social engineering tactics can enable individuals to recognize and avoid potential threats, reducing the risk of personal information being stolen and misused.

Participating in medical and insurance provider online portals with secure messaging and account monitoring features allows for more direct and immediate oversight of one’s medical transactions and insurance claims, offering another layer of detection against fraudulent activities.

Medical Records are Compromised at a Rate Nine Times Greater than Financial Records.

Medical Identity Theft Protection

To protect against medical identity theft, it is important to understand how it happens and what steps you can take to prevent it. Here are some tips for protecting your medical identity:

  • Guard Your Personal Information: The first step in protecting your medical identity is to guard your personal information carefully. This includes your name, address, date of birth, social security number, and insurance information. You should never give out this information to anyone who doesn’t have a legitimate need to know.
  • Shred Your Medical Documents: When you receive medical documents such as bills, insurance statements, and medical records, make sure to shred them before disposing of them. This will prevent someone from digging through your garbage and finding your personal information.
  • Review Your Medical Records: It’s important to review your medical records regularly to make sure that there are no errors or fraudulent activities. If you notice anything suspicious, report it immediately to your healthcare provider.
  • Be Careful with Online Medical Forms: When filling out online medical forms, be sure to only enter the necessary information. Do not enter any unnecessary personal information that could be used to steal your identity.
  • Be Cautious of Scams: Scammers may pose as healthcare providers or insurance companies and ask for your personal information. Always verify the legitimacy of the request before providing any personal information.
  • Use Strong Passwords: If you have an online account with your healthcare provider or insurance company, make sure to use a strong password that is difficult to guess. You should also change your password regularly.
  • Be Mindful of Public Wi-Fi: When using public Wi-Fi, be cautious about entering personal information. Public Wi-Fi networks can be easily hacked, and your personal information can be stolen.
  • Report Any Suspicious Activity: If you suspect that your medical identity has been stolen, report it immediately to your healthcare provider and your insurance company. The earlier you report the theft, the better the chances of minimizing the damage.

Securing personal information is fundamental. This involves safeguarding Social Security numbers, health insurance ID numbers, and other personal data by not sharing them unnecessarily, especially over the phone or via email, unless you are certain of the recipient’s identity and the security of the transmission method.

Using strong, unique passwords for online medical and insurance accounts is critical. Employing a password manager can help manage these passwords securely, ensuring that they are difficult to guess and are stored in an encrypted format.

Activating two-factor authentication (2FA) for all accounts that offer it adds an extra layer of security. Even if a password is compromised, 2FA can prevent unauthorized access by requiring a second form of verification, typically a code sent to a mobile device or generated by an authenticator app.

Regularly monitoring medical records and insurance statements for any signs of unauthorized activities is key. Requesting an annual summary of benefits from health insurers allows for a review of all services billed to your insurance over the year, helping to spot any discrepancies or fraudulent claims.

Maintaining control over personal medical information means being mindful of where and how this information is stored and shared. Ensure that physical documents are kept in a secure place and that electronic records are stored on encrypted devices or secure cloud services.

Educating oneself about phishing scams and social engineering tactics is necessary to recognize and avoid these threats. Be wary of unsolicited requests for personal or medical information and verify the authenticity of any communication claiming to be from healthcare providers or insurers.

Installing and regularly updating antivirus and anti-malware software on personal devices protect against malicious software designed to steal personal information. Ensure that all devices, including smartphones, tablets, and computers, are secured with comprehensive security software.

Using secure networks, especially when accessing or transmitting personal medical information online, means avoiding public Wi-Fi networks for such activities. If public Wi-Fi must be used, employing a virtual private network (VPN) can encrypt the data being sent and received, protecting it from interception.

Engaging with healthcare providers about the security of personal medical information involves asking questions about how they protect patient data and what steps they would take in the event of a data breach.

Immediately reporting lost or stolen health insurance cards to the issuer can prevent unauthorized use. Similarly, if identity theft is suspected, reporting it to healthcare providers, insurance companies, and the relevant authorities can help mitigate the damage and prevent further misuse of personal information.

Close to 500,000 People Have Been Victims of Medical Identity Theft Since 2003.

What to do if You Suspect Medical Identity Theft

If you suspect that you have become a victim of medical identity theft, there are several steps that you should take immediately to protect yourself. Here’s what to do:

  • Contact Your Healthcare Provider: The first thing you should do is contact your healthcare provider and explain the situation. Ask them to review your medical records for any fraudulent activity and to correct any errors.
  • Contact Your Insurance Company: If the fraudulent activity involved your insurance, contact your insurance company and report the theft. They can help you to investigate the incident and may be able to provide you with resources to protect yourself.
  • File a Police Report: File a police report with your local police department. Be sure to provide them with all the information you have, including any evidence or documentation of the theft.
  • Request Your Medical Records: Request a copy of your medical records from all healthcare providers that you have used. This can help you to identify any fraudulent activity.
  • Freeze Your Credit: Consider placing a freeze on your credit to prevent further fraudulent activity. This will prevent anyone from opening new accounts or lines of credit in your name.
  • Monitor Your Accounts: Monitor your bank and credit card accounts regularly for any suspicious activity. Report any unauthorized charges or withdrawals to your financial institution immediately.
  • Consider Identity Theft Protection: Consider enrolling in an identity theft protection service that can help you to monitor your credit and alert you to any suspicious activity.

Contact your health insurance company to report the suspicion of identity theft. Inform them of any discrepancies or fraudulent charges you have noticed. Request a review of recent claims and an audit of your account for any unusual activity.

Review your medical records for inaccuracies. Request a copy of your medical records from your healthcare providers to check for services you did not receive or diagnoses that are not yours. This step is vital in identifying and correcting any false information.

Report the identity theft to the Federal Trade Commission (FTC) through their website or by phone. The FTC provides resources and assistance for victims of identity theft, including a recovery plan and the ability to file a complaint.

Report Medical Identity Theft

Report Your Medical ID Theft to the FTC at IdentityTheft.gov

File a report with your local police department. Provide them with as much documentation as possible, including any correspondence with your insurance company or healthcare providers, and a copy of the FTC complaint, if filed. A police report can be helpful in disputing fraudulent charges and may be required by your insurance company.

Place a fraud alert on your credit reports by contacting one of the three major credit bureaus (Equifax, Experian, or TransUnion). Once you place a fraud alert with one bureau, they are required to notify the other two. This alert informs creditors to verify your identity before opening new accounts in your name.

Consider placing a credit freeze on your files, which prevents creditors from accessing your credit report entirely. A credit freeze can offer more robust protection against identity theft, though it needs to be lifted temporarily if you apply for credit.

Dispute any fraudulent transactions or inaccuracies with healthcare providers and insurance companies in writing. Keep copies of all correspondence and documentation related to the dispute process.

Monitor your credit reports and health insurance statements regularly for any further signs of fraud. This ongoing vigilance can help catch new instances of identity theft early.

Engage with healthcare providers to secure your medical records. Discuss the situation and ensure that they have flagged your records for potential fraud, implementing additional verification steps for future services.

Educate yourself on the rights afforded to you under the Health Insurance Portability and Accountability Act (HIPAA) regarding the privacy and security of your medical information. Understanding these rights can empower you to take more effective action in protecting your information and seeking redress.

Bottom Line

Medical identity theft is a serious problem that can have long-lasting consequences. By taking the steps outlined above, you can protect your medical identity and prevent yourself from becoming a victim of this crime. Remember to always be cautious with your personal information and to report any suspicious activity immediately.

2024 Data Sources