What is medical identity theft and how does it occur?

What is medical identity theft?

Medical identity theft is when someone steals and fraudulently uses your personal information to file false medical insurance claims, get medical services, or illegally obtain prescription drugs. If your identity is stolen for this purpose, it can affect your healthcare coverage and leave you vulnerable to other forms of fraud.

Examples of personal information that somebody may steal and use for identity theft include your:

• Name, home address, and date of birth
• Health insurance information (member ID, policy number, or group number)
• Medical history (conditions, medications, doctors’ names)
• Social Security number (SSN)
• Bank account information
• Driver’s license number
• Email addresses or phone numbers
• Employer information
• Genetic or biometric data

Medical identity theft is often preceded by Medicare scams, with fraudsters outside the healthcare system using various tricks to steal information they can use to assume your identity. Other schemes may aim to exploit your coverage with a private healthcare insurer.

Medical fraud can also be perpetrated by people working within the healthcare system, with “insider” fraudsters stealing your personal data or billing you inaccurately.

How can medical identity theft occur?

In order to steal your identity, fraudsters need to get access to your personal details. This means medical identity theft typically happens after your information is stolen through physical theft, a data breach, social engineering, phishing, or by an insider.

Here’s a deeper explanation of some of the main incidents that can lead to medical identity theft:

• Physical theft: Thieves can access your personal or medical information by stealing documents like your Medicare or Social Security card. You may be more at risk of theft if you’ve lost your wallet or failed to store sensitive documents safely.
• Hacking and data breaches: In 2024, 13 separate data breaches exposed medical data, leaking elements of over 146 million U.S. residents’ medical records. These breaches were ultimately caused by human error, hacking, physical theft, phishing attacks, and other events.
• Social engineering: Identity thieves may pose as Medicare or insurance representatives to phish for personal information, like your Social Security or policy number. These phishing attacks can be delivered via text, email, or phone calls.
• Insider threats: Fraudsters with legitimate access to sensitive information through employment at a healthcare organization can exploit their position to tamper with medical records, steal patient data, or sell protected health information (PHI) on the black market. Outside threats may also trick, bribe, or coerce employees into giving them access to patient data.

Signs of medical identity theft

Spotting suspicious errors or inconsistencies in the documentation you receive from your insurer or healthcare providers is one of the most telling signs that a fraudster is using your details to commit medical identity theft. However, signs on your credit report or unexpectedly denied medical coverage could also alert you.

Here’s a breakdown of some of the major warning signs of identity theft related to your medical information:

• Errors in your explanation of benefits (EOB): An EOB statement is a document from your health insurance company detailing healthcare services received, the amount charged, and the amount your insurance company will pay. Errors in your EOB may indicate that someone else has filed a fraudulent claim under your name.
• Bills for medical services you didn’t receive: Incorrect charges for doctor’s visits, procedures, medications, and equipment could signify that your medical details are being used fraudulently. Carefully review all bills from your healthcare provider to identify anomalies before paying any amounts owed.
• A medical debt collection notice on your credit report: Finding an unexpected medical debt collection notice on your credit report can indicate that someone has used your financial information to obtain medical services on credit, leaving debt that’s falsely associated with your credit file.
• Denied insurance coverage: Being denied medical insurance coverage for unexpected reasons — like a notification that you’ve reached your annual benefit limit despite minimal healthcare utilization or notes of pre-existing conditions you don’t have — could indicate that somebody has filed fraudulent claims under your name.

How to help prevent medical identity theft

There’s no way to prevent identity theft entirely because fraudsters are always coming up with new schemes to target their victims. However, there are some strategies you can use to help protect yourself, including limiting the exposure of your personal information and monitoring for suspicious activity.

Here’s a guide to what you can do to minimize your risk of falling victim to medical identity theft:

• Safeguard your medical documents: Keep your health insurance enrollment forms, health insurance cards, prescriptions, medicine bottles, EOB statements, and billing statements from doctors or other medical providers in a safe place.
• Check your insurance documents: The EOB statements you receive from your health insurer will show all of the claims submitted in your name. Review them whenever they’re sent to make sure there are no suspicious claims that you didn’t make.
• Limit your Medicare number’s exposure: Be on the lookout for phishing scams aiming to trick you into revealing your Medicare number, and don’t give it away to anyone over the phone. Only provide it to trusted healthcare providers, and talk to them about how they handle your data and who can access it.
• Protect your personal information: Unsolicited phone calls and text messages are some of the most common ways identity thieves will try to steal personal information like your address, Social Security number, or credit card details. Protect your sensitive data by only sharing it with verifiably trustworthy people or organizations, and only when absolutely necessary.
• Safely dispose of sensitive documents: Shred or dispose of unneeded documents that contain personally identifiable information. Consider using file shredding software to fully overwrite sensitive digital data and protect against the risk of your information being exposed through malware or a virus.
• Protect your medical accounts: Use unique, strong passwords and two-factor authentication for all of your online accounts, including any that are relevant to your health insurance plan or healthcare providers. This can help protect against hackers targeting you with account takeover attacks.
• Avoid oversharing online: While keeping your friends updated about how you’re doing over social media can be a comfort while dealing with illness or injury, oversharing about your doctor’s appointments, medical condition, or personal information could give lurking identity thieves the details they need to impersonate you.
• Use an identity theft protection service: ​​Identity theft protection services like LifeLock scan the dark web and public people-search websites for your personal information so you can take steps to protect it and boost your online privacy.

With a subscription to LifeLock, you’ll also get alerts of key changes to your credit file^† and expert assistance from a U.S.-based restoration specialist if your identity is compromised. Join today to help protect against identity theft.

How do healthcare providers protect your medical data?

You can go to great lengths to protect your personal and medical data, but if your healthcare insurer or provider doesn’t do the same, you may still be vulnerable to medical ID theft.

Fortunately, the Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare providers protect patient privacy by ensuring the confidentiality of all electronic protected health information (e-PHI), safeguarding against anticipated threats, and certifying employee compliance.

Here are some methods they may use to protect your medical information:

• HIPAA-compliant systems: Examples of HIPAA-compliant systems include electronic health records (EHRs), patient portals, and telemedicine platforms designed to limit unauthorized access, use, disclosure, disruption, modification, or destruction of data.
• Antivirus software: Antivirus software detects and removes malware from computers, helping protect medical data stored electronically by flagging unauthorized programs that could steal information or trigger a data breach.
• Encryption: Medical data may be encrypted, or scrambled into unreadable code, to make it vastly more difficult for unauthorized people to use in fraud if they get access.

What to do if you’re a victim of medical identity theft

If you realize you’ve fallen victim to medical identity theft, taking fast action can help minimize potential financial, credit score, or healthcare coverage-related damages. Key steps to take include uncovering the extent of the fraud, filing an identity theft report, and contacting the credit bureaus.

Here’s a step-by-step look at what you can do to recover from medical identity theft:

• Get copies of your medical records: Request medical records from your providers and alert them to any false private insurance or Medicare claims you’ve discovered. Once you have the records, find every mistake so you can investigate them.
• Comb through your credit report: Check your credit report to see if there are any unfamiliar accounts or collections in your name. If you find anything suspicious, start a dispute as soon as possible.
• Consider a credit freeze or fraud alert: Contacting the three major credit bureaus (Experian, Equifax, and Transunion) to request a fraud alert or credit freeze can help prevent thieves from opening new accounts and harming your credit score.
• Report the fraud to the Federal Trade Commission (FTC): Visit IdentifyTheft.gov and file a report. The FTC will help create a recovery plan to deal with the aftermath of identity theft and log your report to use as evidence in future investigations.
• File a report with the Office of Inspector General: If you were targeted by a Medicare scam, contact the Office of Inspector General, a department responsible for investigating fraud and waste related to programs run by the Department of Health and Human Services.
• Report identity theft to the police: Some insurance providers and debt collection agencies may require you to report identity theft to the police.

Get help with medical identity theft prevention

Somebody stealing your identity to use in medical fraud can have significant implications for your coverage. Subscribe to LifeLock to boost your protection against identity theft. You’ll gain access to features that can help you safeguard your personal information from cybercriminals, monitor for potential fraud, and recover your identity if it’s ever compromised.

FAQs

What are the consequences of medical identity theft?

Falling victim to medical identity theft can impact your healthcare coverage and damage your credit score. Medical identity theft is a widespread problem, with Medicare fraud costing Americans an estimated $60 billion per year. And if your personal information falls into the wrong hands, you could suffer other forms of fraud as well.

Will medical identity theft affect my insurance coverage?

Yes, medical identity theft can significantly affect your insurance coverage. Fraudulent claims can deplete your benefits, leading to higher premiums or even policy cancellation.

When is it okay to share my medical records?

You should only share your medical records with trusted healthcare providers, caretakers, or healthcare proxies who need access to make informed decisions about your health or administer treatment.