medical identity theft avoid

Medical identity theft occurs when a fraudster uses your personal information to receive medical care or make claims to your health insurance provider. Often, all it takes is a health insurance number for a malicious actor to use your medical benefits. Medical identity theft might not seem like a huge deal, but it can have serious repercussions for victims, including significant financial losses and the risk of having limited access to urgent healthcare.

Using your information, criminals may be able to visit a general practitioner or specialist, obtain and fill prescriptions, receive hospital treatment, and more. They can file a claim with your insurance provider to receive reimbursement for monies paid, or for treatment that is fabricated. With the number of healthcare industry data breaches reaching a record high in early 2019, the risk of medical identity theft is increasing.

Thankfully, you can take steps to limit the potential that you’ll become a victim. In this post, we go into more detail about medical identity theft and how it occurs. We’ll also explain what you can do to avoid becoming the next victim.

What is medical identity theft?

Medical identity theft is a type of healthcare fraud, which is commonplace among both practitioners and patients. In many cases of healthcare fraud, the perpetrator uses their real information to defraud an insurer or a government healthcare program. Medical identity theft involves stolen information, and the person who the medical information really belongs to is typically unaware that the fraud is taking place.

All a fraudster really needs to commit medical identity theft is a name and a health insurance number, although in some cases they need a Social Security Number (SSN), too. Once they have the necessary information, the thief can do one or more of the following:

  • Get free treatment: Medical care is expensive, especially in the US, and many people can’t afford it or don’t want to pay for it. Using your information, the thief can receive treatment from doctors and specialists at a range of healthcare institutions, and may even undergo treatment such as surgery in a hospital. It’s not just private insurance plans that are abused and perpetrators may be after access to government benefits that they don’t qualify for. This includes Medicare or Medicaid in the US, OHIP in Canada, or the NHS in the UK.
  • Make claims for fabricated treatment: The fraudster might not need medical care, but rather wants to receive reimbursement for treatment that didn’t take place. For this, they would use fake medical receipts which may be forged or supplied by rogue medical practitioners looking to make some extra cash.
  • Get prescription drugs: Whether the thief genuinely needs prescription drugs, is feeding a drug habit, or is selling them on for a profit, your medical information can be used to obtain and fill countless prescriptions.

Many people assume medical identity theft primarily affects insurance companies, but victims suffer harsh consequences, as we explain in the next section.

Damages caused by medical identity theft

Here are some of the consequences of having someone use your information without your knowledge in healthcare fraud.

  • Limited access to healthcare: If a thief maxes out your benefits, you could find yourself in an emergency situation with no access to healthcare coverage.
  • Bad credit: If a fraudster is using your information to receive expensive treatment that isn’t covered by your insurance provider, you could end up with huge medical bills in your name. These bills can go to collections agencies and your first knowledge of the situation could be correspondence from a creditor.
  • Erroneous medical records: When a thief receives medical treatment under your name, their medical information will be mixed up with yours. Given that future treatment often relies on medical history, you could find yourself in a dangerous situation where their medical information affects what treatment you receive.
  • High insurance costs: These scams could result in you having to deal with sky-high medical insurance premiums. Worse, some insurers may refuse coverage altogether.
  • Trouble with law enforcement: Medical identity theft may be part of a larger scheme to buy and sell drugs, and could even involve organized crime groups. If your name is involved, you might find yourself being suspected in a crime. If you’re unable to disprove your involvement, you may even face jail time.

While there is no similar recent figure, a 2015 Ponemon Institute study found that more than two-thirds of victims of medical identity theft paid an average of $13,500 to resolve their situation. This included payments to their healthcare provider, insurer, and legal counsel to resolve the incident and to prevent similar scenarios in the future.

How thieves get your information

So how do thieves obtain your medical information in the first place? Here are the common methods:

Phishing attacks

Phishing attacks may occur via email, text, or phone, and involve someone trying to trick you into giving up information. For example, an email might appear to be from a healthcare provider asking you to confirm some of your information. In reality, it’s a cybercriminal trying to get you to hand over your details for use in fraud.

Similarly, a caller on the phone might purport to be from your insurance provider and use social engineering to get you to reveal your health insurance number along with other information.

Phishing attacks are also used against companies, including healthcare industry organizations, to persuade employees to unwittingly leak patient data. Worryingly, a 2018 JAMA Network study found that almost one in seven phishing emails sent to healthcare institution employees are clicked.

Data breaches

Data breaches don’t all occur as a result of phishing. Others occur as a result of successful hacking attempts, file exposure due to software vulnerabilities, or mishandling or theft of physical files or digital storage devices.

According to research by the Identity Theft Research Center (ITRC), in 2018, the healthcare field suffered 363 breaches, which was the second highest number of data breaches in any industry (the business sector had the highest). The healthcare field had the highest rate of exposure per breach in terms of the number of records exposed.

Statement about healthcare industry breaches from ITRC report.
Source: ITRC

A chart from ITRC shows how the number of healthcare field breaches has risen over the last 13 years from just 16 in 2005 to more than 360 in 2018:

Healthcare data breaches in ITRC chart.
Source: ITRC

One of the biggest breaches in recent years was that of Anthem Blue Cross in 2015, in which around 80 million records were breached. As for more recent breaches, in June 2019, Quest Diagnostics confirmed that up to 12 million patients may have been affected by a breach at the American Medical Collection Agency (AMCA).

Stolen cards

When your wallet is stolen, it’s natural to think about your credit and debit cards first. But if you carry a health insurance card or other medical information, this can be just as valuable, if not more, to a thief.

In one recorded case of medical identity theft, a woman’s purse was stolen from her vehicle, and two years later she received notice that there was a warrant out for her arrest. The thieves had used her health insurance information to obtain more than 1,700 prescription opiate pills. Thankfully, she had filed a police report when the purse was stolen and was able to use that to clear her name.

It’s not only cards that contain sensitive data, and any prescription or medical receipt might have enough information for a criminal to commit medical identity fraud. Bear in mind, thieves might be closer to home than you think. Many victims of medical identity theft have reported a family member taking their credentials without consent.

Others have admitted to sharing their information to enable a family member or friend to seek medical assistance. Aside from being against the law and causing some of the potential damage noted above, this opens the door for the person to continue using the information without your knowledge.

Black market

Most criminals don’t need to go through the hassle of trying to steal a card or breach a company’s systems. All they have to do is purchase your information from someone who has already done the work for them. The black market (aka the underground economy) has all sorts of information for sale.

Symantec’s Internet Security Threat Report 2019 offers some interesting insight into what’s up for grabs on the black market and how much items of information cost. For example, medical notes and prescriptions fetch $15–$20, while stolen medical records are sold for $0.10–$35.00.

Symantec report underground economy figures related to medical identity theft.
Source: Symantec

Hacking accounts

With most information available online these days, it’s possible that a hacker could get into your accounts and steal your information. For example, access to an email account could expose emails between you and your doctor, knowledge of your insurance login credentials would expose your medical details and claim history, and access to a testing lab account would expose your personal information and all of your results.

While it would seem unlikely, account takeover fraud is more common than we’d like to think. Hackers can use brute force attacks, man-in-the-middle attacks, leaked information from a data breach, spyware, or phishing attacks to gain access to all kinds of online accounts.

How to avoid medical identity theft

While healthcare companies are often to blame for exposing your data, there are steps you can take to ensure you’re not the one who gives up your valuable information:

  1. Check in with your insurance provider
  2. Look out for suspect correspondence
  3. Check your credit report
  4. Use strong passwords
  5. Treat your medical information as you would your SSN
  6. Don’t share your medical insurance
  7. Don’t overshare on social media
  8. Shred prescriptions and receipts
  9. Use a VPN

Let’s look at each of these in more detail:

1. Check in with your insurance provider

If you’re in the US, your insurance provider should send you an Explanation of Benefits (EOB) that outlines claims made by you and anyone else covered under your plan. These are typically sent after a claim has been processed. Similarly, for those entitled to Medicare, you should receive a Medicare Summary Notice (MSN) every three months (provided you’ve received services or medical supplies during the last three months).

While it’s prudent to check these carefully, it’s a good idea to also check in periodically to ensure you haven’t missed something. If you have an online account, you can simply log in to review all recent activity. If not, you can call up your provider to confirm what the last few claims were. While this won’t actually prevent medical identity theft, it will help you catch it sooner rather than later.

Bear in mind that some people are more susceptible than others to this crime. Older adults are often targeted as they tend to be less suspicious and may not stay on top of receipts and statements. Children are also prime targets as their credit data isn’t likely to be checked on a regular basis. As such, checking on behalf of children and older relatives is a good idea.

2. Look out for suspect correspondence

Have you received a bill in the mail for a service your didn’t receive? Or an email concerning a medical matter that you know nothing about?  Perhaps you’ve received a letter or email from your health insurance provider stating that you’ve reached your limit for a certain type of benefit. You may even have been hit with a denial of insurance letter if the thief has a medical condition that makes him or her uninsurable. Any of these should raise major red flags and need to be looked into as quickly as possible.

It’s also a good idea to look out for news of breaches that may involve your information. The Health Insurance Portability and Accountability Act (HIPAA) includes a breach notification rule. This mandates that covered entities have to notify individuals affected by a breach of Protected Health Information (PHI). They must also notify the U.S. Department of Health & Human Services (HHS) and in some cases, the media. However, they have 60 days after the discovery of the breach to disclose it, by which time damage may have already been done.

3. Check your credit report

Medical identity thieves can often get away with a lot before anyone catches on. One way to detect something amiss is to check your credit report, as this may reveal medical collection notices that you don’t recognize. Subject to the Fair Credit Reporting Act, those residing in the US are allowed a free credit report from each of the three major credit reporting bureaus once per year. You can also get free report in case of adverse action such as a medical insurer denying coverage. You just have to request the report within 60 days of the action.

4. Use strong passwords

Every one of your online accounts (healthcare-related or not) should have its own unique password. This prevents criminals from using credential stuffing tactics that use known username and password combinations (often exposed in data breaches) to access other accounts. Passwords should be made up of long strings of upper- and lower-case letters, numbers, and symbols. If you need help with your passwords, a password manager can be a handy addition to your toolkit.

LastPass homepage.
LastPass is one great option to help you generate and remember passwords.

TIP: Check your password strength with our free tool

5. Treat your medical information as you would your SSN

Your health insurance number or other relevant medical number should be guarded as closely as your Social Security number. Only provide it to a third party when absolutely necessary. If you lose your card, you should notify your provider immediately and request a new number. You should also file a police report if your health insurance card is lost or stolen.

6. Don’t share your medical insurance

It may be tempting to help a family member or friend in trouble by letting them use your medical information to receive treatment. This is a crime in itself, and it opens you up to future issues if the person you help decides to abuse your generosity. In the Ponemon study mentioned earlier, almost half of respondents believed that the theft or their medical identity was perpetrated by someone they knew.

7. Don’t overshare on social media

Everyone should take caution when it comes to the type of information you share on social media. While it might be fine for your close relatives to know about your various medical conditions, these things shouldn’t become public knowledge. Criminals can collect information about your medical history and pair it with your date of birth and other public personal information to create a profile to use as the basis for medical identity theft.

8. Shred prescriptions and receipts

Leaving the pharmacy and don’t want to deal with that bulky bag? It’s worth holding on to it until you get home and disposing of it properly. If someone goes through your trash (or whichever trash bin you tossed it in), they could have all the information they need to commit medical identity theft. Treat prescriptions, health insurance forms, and medical receipts as you would important financial documents and shred them once you no longer need them. And don’t forget about prescription labels on bottles and other packaging. You should shred these or otherwise make them illegible before throwing them out.

9. Use a VPN

Many doctors’ offices, health insurance providers, and medical institutions such as labs use online accounts. If you’re logging in to a website while connected to public wifi, there’s a chance a hacker could steal your credentials and other information. It’s best to avoid accessing such sites altogether while connected to public wifi, but if you must, then use a VPN to encrypt your internet traffic.

The struggle of resolving medical identity theft

According to the Ponemon Institute study referenced earlier, one of the issues with medical identity theft is that victims often find out months (three on average) after fraud has taken place and 30 percent have no idea when or how they became a victim. What’s more, upon discovery of the fraud, many victims don’t know where to report it.

Another problem is that resolution of these crimes is difficult and time-consuming. Those who have reported reaching a satisfactory resolution (10 percent of people, according to the study), spent an average of 200 hours on the resolution. This includes dealing with insurers or healthcare providers, ensuring medical information is secure and accurate, and making sure all outstanding bills are paid.

While resolving medical identity theft can be a struggle, inaction could result in future issues. For example, outstanding bills can have an effect on your credit rating or inaccurate medical records can hinder your future medical care. As such, it’s always worth it to spend the time and money reaching a conclusion.

What to do if you’re a victim of medical identity theft

If you suspect you’re a victim of medical identity theft, here are the main steps to take (not necessarily in chronological order):

  • File a police report. Even if it seems unlikely the perpetrator will ever be caught, filing a police report is crucial. When you file a report, you’ll receive a report number that may be used in future as proof that the theft occurred.
  • File a report with you local fraud centre. Depending on your country, you should have a general fraud centre you can report to. Here are some of them:
  • Notify your insurer. Alert your insurance provider to the fraud and find out if they have a specific protocol in place for these types of situations.
  • Get copies of your medical records. According to federal law, you have the right to view the contents of your medical files. Get in touch with any provider, including doctors, hospitals, and pharmacies where you think a thief might have used your information. Note that you may need to pay for copies of records from various providers. Check them to see if they contain any erroneous information.
  • Obtain an accounting of disclosures. In the US, by law, each of your medical providers has to provide you with (upon request) one free copy of the “accounting of disclosures” as related to your medical records. This includes details about any information sent by a provider, as well as when and why it was sent and who it was sent to. This way, you’ll have an idea of who else might have erroneous medical records.
  • Ask for corrections to erroneous information. Once you have knowledge of the erroneous information and who has it, you can request that corrections be made. Healthcare providers are required to make requested changes, although you will likely have to provide supporting documentation including an explanation of the medical identity theft and a police report to prove it.
  • Notify all three credit bureaus. If you haven’t already checked your credit rating, check it now. Send a copy of your police report and identity theft report (if applicable) to each of the three nationwide credit bureaus. You may also consider placing a security freeze or fraud alert on your credit reports.

In addition to the above, police, your insurer, and your healthcare provider may have additional advice on steps you should take. You may also consider hiring legal counsel or an identity theft restoration service provider to help you resolve the issue and prevent future fraud.