According to reports, the theft of personal medical information is increasing, despite privacy laws that are intended to safeguard your protected health information. Medical identity theft can disrupt the victim’s life, damage their credit rating, and could even be life-threatening if the wrong diagnosis or medications end up in the victim’s medical records. Learn these nine steps to better protect yourself and your family from medical identity theft.

What Is Medical Identity Theft?

Medical identity theft is the illegal use of another person’s information to attempt to get medical treatment, services, or goods. The criminal may steal the victim’s date of birth, address, Social Security number, healthcare identification number, as well as medical data such as past and present health conditions, prescriptions, and online medical account credentials.

What can a criminal do with another person’s medical information? More than you may think.

A thief can use the victim’s stolen information to visit a doctor, file fraudulent insurance claims, obtain prescription drugs for the purpose of selling them on the black market, or purchase costly medical services.

Medical Identity Theft Can Have a Devastating Impact on Its Victims

Although many people tend to worry about the misuse of their credit or financial accounts, medical identity theft can actually be more costly to victims than other types of identity theft. Federal law generally limits a consumer’s liability for fraudulent credit card charges to $50, but victims of medical identity theft often don’t have similar protections.

Identity thieves may rack up large hospital bills in the victim’s name and then disappear, leaving the victim completely unaware until they are contacted by creditors. The time it takes to resolve the dispute may negatively impact the victim’s credit rating and even affect future insurance costs.

According to one report, damage from medical identity theft can endure for years, with some victims suffering long-term consequences of aggressive medical debt collection or facing prosecution because thieves used their identities to purchase stockpiles of prescription drugs.

If the thief’s medical information ends up in the victim’s electronic health record, the victim’s health could be at risk.

Potential Signs of Medical Identity Theft

• An Explanation of Benefits (EOB), bill for medical services, or Medicare summary notice outlining services that you never requested or received
• A call from a debt collector about a medical debt you don’t believe you owe
• Information you don’t recognize, such as an incorrect address or date of birth, when you verify your information before a doctor’s appointment or other medical treatment
• An erroneous notice from your health plan that you reached your benefit limit
• A denial of insurance because your medical records reflect a condition you don’t have
• A medical collection notice on your credit report that you don’t recognize

Steps to Better Protect Yourself from Medical Identity Theft

• Review medical and insurance statements – Read medical and insurance statements regularly and completely. Review Explanation of Benefits (EOB) statements or Medicare summary notices sent by your health plan after treatment. (EOB statements are usually the document than says “THIS IS NOT A BILL”.) Were you charged for any medical services or equipment that you didn’t request or receive? Do the dates of services and charges look unfamiliar? Were you double-billed for the same service? If you spot anything suspicious, contact the provider or your insurance company right away. Remember that services for family members may appear on your Explanation of Benefits statements as well.
• Don’t overshare – Healthcare providers often request detailed information from patients. If you don’t understand why your doctor needs a particular piece of information, ask whether it’s necessary. For example, many standard forms ask for a Social Security number, but you may be able to leave that field blank.
• Know who you’re talking to – Don’t share medical or insurance information by phone or email unless you initiated the contact and are sure you are speaking with the right organization. If you get a call or email from someone who claims to be from your insurer or healthcare provider, don’t provide any personal information. Instead, call your doctor or insurer directly or log in to your patient portal to verify the request. Don’t answer questions from a caller who says he or she is conducting a health survey and needs your Medicare or insurance number, as this may be a scam.
• Be wary when providing information online – Before providing sensitive personal information on a website, find out why the information is needed, how it will be stored, and whether it will be shared and with whom. It’s best to read the Privacy Policy on the provider’s website. If you choose to share your information, look for a lock icon on the browser’s status bar and a URL that begins with https:// (not just http://). If the website doesn’t have those two security indicators, it could be a red flag.
• Safely store or shred medical and health insurance documents – Store paper copies of your medical and health insurance records in a safe place. Shred outdated health insurance forms, prescription and physician statements, and prescription bottle labels before throwing them away. Store electronic copies securely as well.
• Be suspicious of free offers – Be wary if someone offers you free healthcare services or products, but asks for your health plan ID number. Medical identity thieves may pretend to work for an insurance company, doctor’s offices, clinic, or pharmacy to try to get you to disclose sensitive information.
• Request access to your medical records. Just as you may regularly review your credit reports, consider periodically reviewing your medical records for red flags as well. It’s your right under the Health Insurance Portability and Accountability Act to request copies of your health information. Your healthcare provider may have an online patient portal to view your record, or you may be able to request the information from the office directly, sometimes for a small fee. At least once a year, ask your insurer for a full list of benefits paid in your name.
• Know your rights – In some circumstances, a healthcare provider may be unwilling to give you access to your medical records if the request is related to being a victim of medical identity theft. A provider may question whether the federal health privacy law permits disclosing a record that may contain another person’s personal health information. In this case, consider showing the provider the guidance offered by the Office for Civil Rights, which enforces the health privacy law. If your provider still resists, you can file a complaint with the Office of Civil Rights.
• Take appropriate action if you receive a breach notification – If you learn that your medical information has been stolen, first try to determine exactly what was compromised and then make a remediation plan. If you receive a notification that your health insurance or health plan number was compromised, notify your insurer so they can note it in their records and flag your account number. Consider seeking professional help, or contact the Federal Trade Commission for assistance. 

If You Suspect a Problem 

• If you notice questionable charges on a bill or statement, contact your healthcare provider first to see if it’s a mistake. If you see items you don’t recognize on an Explanation of Benefits or other statement from your insurance provider, call your insurer at the number listed on the Explanation of Benefits. Ask for more details about anything you suspect, and ask them to investigate.
• If you believe you are a victim of medical identity theft, the US Department of Health and Human Services recommends contacting the following organizations:
  • US Department of Health and Human Services fraud hotline
  • Medicare.gov’s web page on reporting fraud and abuse
  • The Federal Trade Commission’s identity theft website at IdentityTheft.gov

In addition, consider filing a police report and sending copies to your medical providers, insurers, and the three nationwide credit bureaus (Equifax^®, TransUnion^®, and Experian^®). It may help protect you if an identity thief starts using your personal information for fraud.