You’ve probably heard of identity theft, but it's usually in relation to fraud — someone stealing your personal data in order to gain access to your money. Medical identity theft is a lesser-known but equally dangerous threat that can jeopardize your finances and health.
Read on for a description of medical identity theft. Learn about the many ways it can occur, then get tips for how to protect yourself (and your loved ones) from medical identity theft.
What is medical identity theft?
The first step is understanding what identity theft is and how it relates to your medical information. Medical identity theft is when someone uses your name or insurance information to receive health care or file fraudulent claims. Like other types of identity theft, medical identity theft can have significant negative financial impacts on victims. You could receive bills for expensive procedures you never had or start getting calls from debt collectors about payments you never incurred.
Medical identity theft also poses threats to your health. For instance, imagine someone fraudulently receives medical treatment under your name. You could end up with inaccurate diagnoses, treatments and prescriptions listed in your medical history. As a result, you could receive inappropriate, even life-threatening, care in the future. Inaccurate records can be especially dangerous during an emergency when doctors rely on your medical charts to guide your care and make split-second decisions if you’re incapacitated.
How can medical identity theft occur?
Medical identity theft is a broad term encompassing many types of medical fraud. Here are some of the most common ways that medical identity fraud occurs.
Breached databases that expose personal medical information
With so much sensitive information stored electronically, database breaches can be catastrophic. A breach occurs when an unauthorized person gains access to a database, either physically or virtually. Once they've breached a database, criminals may have access to sensitive details they can use to get medical services using a victim's name and medical information. Or they could sell the information online on the dark web.
If your medical information has been compromised in a database breach, you'll likely receive a letter informing you of the breach and what was leaked.
If your information has been stolen, report the theft to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338.
You should consider putting a freeze or fraud alert on your credit records. You can do this by calling each of the three major credit bureaus: Equifax, Experian and TransUnion. You can also request a freeze online directly through the credit bureaus’ websites. Also, contact the Social Security Administration at 1-800-772-1213 to request to block electronic access to your online Social Security account.
If your health insurance information was compromised, call your insurance company to let them know. Keep a close eye on your Explanation of Benefits (EOB) statement to look for suspicious activity.
Improper disposal of sensitive medical records
Sensitive medical records contain information criminals can use to steal your medical identity. You, your health care providers and your insurance company all have copies — that's a lot of records that need to be properly disposed of. Medical providers and insurance companies are legally obligated to dispose of all medical records securely by shredding, pulping, burning or pulverizing paper records and purging, clearing or otherwise destroying electronic records; you have control over your own copies. Still, due to human error, mistakes can happen at any point.
One mistake, such as losing your insurance card or forgetting to remove the label before discarding a prescription bottle, is all it takes for a thief to get ahold of sensitive information. And, unlike when a database is breached, you likely won't get any alert that your information was compromised until you start to see warning signs of a stolen medical identity.
Phishing scams that trick individuals for their medical information
If you receive an email or text asking for medical or personal information, such as your Social Security number, it could be a phishing scam in which a scammer claims to be from a trusted organization, such as a bank, and gets you to voluntarily disclose certain details. The scammer may then be able to use that information to open accounts in your name or sell it to third parties.
Never give out your data if you're asked for it by text or email. And if you receive an email asking you to click on a link or open an attachment to update your medical or billing information, it's probably a scam.
To protect yourself against phishing scams, follow this advice:
- Never open a text or email from a company or health care organization you don't recognize.
- Don't click on links or attachments asking you to update information.
- Use multi-factor authentication on all patient portals and online medical accounts whenever it's available.
- Use security software on your computer — we have a list of the best identity theft protection services — and make sure it's set up to update automatically.
Insider theft by health care professionals
Medical identity theft sometimes occurs when a health care professional steals sensitive medical information. They could take records that are supposed to be disposed of, take pictures of information on a computer screen or steal a laptop that contains secret data. They could then file fake insurance claims or sell the information to criminals.
Medical identity theft by family members
Sometimes, family members take advantage of having easy access to your medical and health insurance information. The family member could use your information to receive treatment, medication or health care supplies in your name. To protect yourself from medical theft by family, here are a few things you can do:
- Keep your passwords to patient portals and medical accounts locked up.
- Never leave your medical statements or health insurance card lying around.
- Don't permit health care providers to leave detailed voicemails on shared answering machines.
Examples of medical identity theft
We've come up with some examples of medical identity theft to help you better understand how it happens, who it affects and the most typical medical identity theft consequences.
1. A 32-year-old woman, J.B., gets her EOB and billing statements in the mail, looks them over and then throws them in the recycling bin at her apartment complex. Another resident walks by the bin, sees the paperwork and takes it. He then scans the statements into his computer and sells them on the dark web. The buyer now has J.B.'s name, address, phone number, date of birth, health insurance information, the names of her doctors and which treatment facilities she uses. The buyer then uses the information to receive expensive cancer treatments in J.B.'s name.
One day, J.B. gets a call from a debt collector telling her she owes $11,000 for those treatments. When she investigates, she learns that $11,000 was spent at medical facilities she's never been to (for a condition she’s never had). She calls her insurance company to report the fraudulent charges and asks for a new policy number. A year later, she's still trying to fight the charges and restore her credit.
2. A 74-year-old man, K.J., has the passwords to his online medical accounts taped to the side of his computer monitor. A home health aide takes a picture of the passwords and gives them to her older brother. Her brother signs into the accounts, gets K.J.'s information and Medicare number, and uses it to get treatment for his diabetes. When K.J. sees a new doctor, the provider reads his treatment history and decides to order at-home finger sticks and a prescription medication to treat high blood sugar. Without knowing this, K.J. takes the first dose of the medication, and his blood sugar plummets, creating a life-threatening situation.
These two fictional medical identity theft examples illustrate how dangerous medical identity theft can be. Similar real-life medical identity theft cases are frequently in the news and can be a good reminder to safeguard sensitive medical information.
How to prevent medical identity theft
With so many ways for your medical identity to be stolen, you may wonder how to protect yourself from identity theft. There are many steps you can take, and most of them are pretty simple. Here are some of the most effective ways to protect yourself (and some information on how to check for identity theft).
1. Safeguard your medical insurance cards
Your medical insurance cards have a lot of sensitive information that criminals can use to steal your medical identity. Be sure to keep your insurance cards in a safe place. Other items you should guard include:
- Medical insurance enrollment forms
- Prescriptions and prescription bottle labels
- Medical bills
- Health insurance EOB statements
2. Review medical statements for inaccuracies
You may be tempted to throw your medical statements in the trash or a filing cabinet without examining them. But make it a habit to always review those documents for inaccuracies before putting them away. They are often the first signs of fraud or medical identity theft, and by catching them early, you may be able to prevent further damage.
If you see an inaccuracy in your medical statement, contact all health care providers and health insurance companies involved to get more information. You have the right to examine and obtain copies of your medical records. This will help you determine if the inaccurate information indicates medical identity theft.
3. Be careful who you share medical details with
You probably don't go around sharing financial details with acquaintances, but you might not think twice before talking about your medical issues with a friend. To keep yourself safe from medical identity theft, be careful about discussing medical details, such as information about your health care plan.
4. Verify health care providers and facilities
While you're looking over your medical statements for inaccuracies, also keep an eye on treatment details. Verify that the providers and facilities listed are indeed the ones you used to receive medical services. If you see anything you don't recognize, call the statement provider right away to confirm. It could just be that the facility name is abbreviated or written in a way you're not familiar with, but it's always better to double-check so you catch any legit discrepancies right away.
5. Use strong passwords for online patient portals
With so much medical information available in online patient portals, it's critical to safeguard access to them. You can do this by choosing strong passwords that contain a combination of letters, numbers and non-alphanumeric symbols.
Never use a password that someone could guess, like one with your child's or pet's name, your date of birth or something similar. It shouldn't contain words that can be found in a dictionary. And make it as long as the system allows. If you write the password down, ensure it's in a safe, hidden spot and use different passwords for all your accounts.
6. Securely dispose of medical documents
Medical documents, such as bills or health insurance EOB statements, contain a lot of sensitive information. When disposing of these documents, do so securely. Shredding, burning, pulping and pulverizing are generally considered effective methods. If you don't have a shredder at home, look online for free community shredding events in your area. Or you can bring your medical documents to a location of The UPS Store or Staples for low-cost shredding.
How to report medical identity theft
Victims of medical identity theft should complete the following steps:
- File a report with the FTC by phone at 1-877-438-4338.
- File a report with your local police department (and get copies of it).
- Send copies of the police report to your health care provider, the fraud department of your medical insurance company and the three major credit reporting agencies.
- Report the case at identitytheft.gov.
Is medical identity theft the same as HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law requiring health care providers, plans and clearinghouses to safeguard patient medical information. Although HIPAA and medical identity theft aren't the same, one goal of the HIPAA rule is to provide medical identity theft protection. HIPAA sets requirements for secure disposal of sensitive patient information and handles training for employees who handle patient data.
Summary of Money's what is medical identity theft
Medical identity theft is a problem that can affect anyone. It can occur due to database breaches, improper disposal of medical documents, phishing scams or theft by a health care professional or family member. You can take action to protect yourself, such as creating strong passwords, properly disposing of medical documents, safeguarding your medical insurance card and being cautious about sharing your medical details with others.
To spot signs of medical insurance identity theft, always review your medical statements for inaccuracies. If you find you're a victim of medical identity theft, report it to your insurance company, local police department and the FTC.