Medical ID theft

Medical identity theft is a lesser known form of identity theft, but the consequences can be just as devastating. It not only affects the patient or consumer, but also has ramifications on healthcare and insurance providers.

Stay safe. Be Informed.

Medical identity theft occurs when a fraudster illegally obtains and uses a patient's Personally Identifiable Information (PII), such as name, Social Security number, and/or medical insurance identity number, to fraudulently obtain or bill for medical goods or services. This kind of fraud also includes the unauthorized personal gain of insurance benefits, prescription drugs, employment, government benefits, or other financial gain acquired through the theft of another individual's PII. Hackers have also been known to sell stolen health care records on the black market.

Health care data is increasingly becoming a top target for scammers and hackers in the United States and globally. According to Bitglass, one in three Americans were affected by health care breaches in 2015. The Department of Health and Human Services reported 253 health care breaches that affect 500 individuals or more with a combined loss of over 112 million records in 2015. A reason why fraudsters may be going after health care data more is because of its longer shelf life and rich potential for identity theft. Financial data has a finite lifespan and loses its worth as soon as the consumer notices the frauds and cancels their accounts or cards. However, health care data contains information that can't be cancelled or changed as easily as a credit card. This information includes Social Security numbers, medical records, and prescription accounts. 

Follow these tips to help protect yourself against medical identity theft:

  • Review the Explanations of Benefits (EOB) statement or Medicare Summary Notice that your health plan sends after treatment. Immediately report any mistakes or unfamiliar charges, such as a doctor's visit you did not make or prescriptions that you did not fill.

  • Check in with your doctor(s) to ensure your medical records are accurate. Make sure the records contain your procedures, treatments, prescriptions, and other medical activities. If you notice inaccurate health details such as the wrong blood type, pre-existing conditions, or allergies, it may be a sign that an identity thief has accessed your records.

  • Do not share your medical or insurance information with other individuals. Especially do not provide your medical information over the phone or via email unless you initiated the contact and have verified the entity you are contacting.

  • Treat your medical identity with the same care and caution you do any of your other sensitive information, such as your financial credentials. Dispose or shred health documents you no longer need.

  • Read the Privacy Policy on a website before you provide your Personally Identifiable Information. Find out why your Social Security number or insurance account numbers may be needed and how the website will keep it safe, or if it will be shared, and if so, with whom. (Websites with "https" in their URL are secure.)

  • If you are unsure about sharing your personal information with someone who says they are from your health plan—DON'T. Directly contact the Member Services number on your ID card so you can be sure the person is a verified health representative.

  • Be cautious when you get offers for "free" health services or products that require you to provide your personal health information. Often times, this is a scam targeted to steal your medical identity. 

  • Do not provide your medical information to someone who contacts you about a "recent breach." This is a tactic scammers use to capitalize on actual data breaches to "phish" for additional personal information to steal your identity. Know that legitimate companies will never ask for your information through unsecured channels such as phone calls or emails.

  • Do not be afraid to ask questions. Ask your health care provider about how your data is treated, protected, and shared. You have the right to find out with whom your insurance company and medical providers have shared your information with. You are entitled to one free copy of the "accounting of disclosures" every year from each of your providers.

If you have been a victim of medical ID theft, contact either ExperianEquifax, or TransUnion and have them place a fraud alert on your account. The credit reporting agency you contact is legally required to notify the other two agencies. A fraud alert will flag your account as a potential victim of fraud and that creditors should take extra steps to verify your identity before issuing credit. Be sure to monitor your credit reports on an ongoing basis. And be on the lookout for a confirmation letter from each bureau that your fraud alert has been processed. This is not a complete solution for medical ID theft, but it's a precaution to take to look for medical collection notices.

Additional resources

Visit's Identity theft section for more information.

You can also visit the FTC's website to report any instances of fraud, including medical ID theft.

The Medical Identity Fraud Alliance has more information on how to avoid medical ID theft and more steps you can take if you area victim.