How to Prevent Medical Identity Theft

Medical identity theft occurs when an individual uses another person’s personal identifying information to obtain medical services, prescription medications, or to make false claims for healthcare benefits. This illicit activity can lead to significant financial repercussions for the victim, including erroneous bills, collections notices, and a damaged credit history. Beyond financial harm, medical identity theft can also compromise the accuracy of a victim’s medical records, potentially leading to incorrect diagnoses or treatments based on another person’s health information. Understanding this threat and taking proactive measures are important steps in protecting one’s health and financial well-being.

Recognizing How Medical Identity Theft Occurs

Medical identity thieves acquire personal health information through various channels, often exploiting vulnerabilities in data security or through deceptive practices. Common methods include:
Data Breaches: Large-scale data breaches at healthcare organizations, insurance companies, or pharmacies can expose millions of patient records. These breaches can result from cyberattacks, system errors, or insider threats.
Phishing Scams: Perpetrators send fraudulent emails, text messages, or make phone calls designed to trick individuals into revealing sensitive medical or financial details.
Physical Theft: This includes discarded medical bills, insurance forms, stolen wallets containing identification, or improper disposal of paper medical records.
Unsecured Online Access: Weak login credentials or unsecured online patient portals can allow unauthorized access to health information.
Insider Misuse: In some instances, individuals with authorized access, such as healthcare employees, may misuse their privileges to steal patient data.

Safeguarding Your Medical Information

Protecting your medical and personal health information requires consistent attention to both physical and digital security practices.
Secure Physical Documents: Shred any medical bills, Explanation of Benefits (EOB) statements, or other health-related papers before discarding them. Keep important medical records in a secure location, like a locked file cabinet at home.
Strengthen Online Security: Use strong, unique passwords for every healthcare provider portal and insurance website. Enable two-factor authentication (2FA) whenever it is offered. Exercise caution when accessing these accounts on public Wi-Fi networks, as these networks may not be secure.
Verify Requests: Be wary of unsolicited requests for medical information received via phone calls, emails, or mail. Legitimate healthcare providers or insurers typically do not request sensitive information like your Social Security number through unprompted communications. Always verify the legitimacy of such requests by contacting the organization directly using a known, official phone number or website.
Understand Privacy Practices: Understand the privacy practices of your healthcare providers and insurers. Healthcare organizations are required to provide a Notice of Privacy Practices, outlining how they protect your health information under the Health Insurance Portability and Accountability Act (HIPAA). Limiting the amount of personal information you share, especially in public or social settings, further reduces the risk of exposure.

Monitoring Your Medical Records

Ongoing vigilance is important for detecting potential medical identity theft.
Review EOB Statements: Regularly review Explanation of Benefits (EOB) statements received from your health insurer. Carefully examine these statements for any unfamiliar services, dates of service, or providers that do not correspond with your actual medical care. Promptly report any discrepancies to your insurer.
Check Medical Bills: Scrutinize all medical bills you receive for accuracy. Compare them against your EOBs and your personal records of services you have received. If you identify charges for services you did not undergo or that appear incorrect, contact the billing department of the healthcare provider to dispute the charges.
Request Medical Records: Periodically request copies of your medical records from your healthcare providers. Review them for any unfamiliar entries, such as diagnoses, treatments, or medications that do not belong to your medical history. The HIPAA Privacy Rule grants individuals the right to access and review their medical records.
Monitor Credit Reports: Review your credit reports annually. Look for any medical-related collection accounts or unfamiliar debts that may appear as a result of fraudulent activity. You are entitled to a free copy of your credit report from each of the three major credit bureaus—Equifax, Experian, and TransUnion—once every 12 months.

Taking Action After Medical Identity Theft

If you suspect or confirm medical identity theft, taking immediate, structured steps can help mitigate the damage.
Contact Healthcare Provider: Contact the healthcare provider or facility whose records you believe have been compromised. Speak with their privacy officer or patient relations department and request an audit of your medical records to identify and correct any inaccurate information.
Notify Insurer: Notify your health insurance company without delay. Inform them that you suspect your policy is being misused and ask them to investigate fraudulent claims. Your insurer can flag your account and help prevent further unauthorized use of your benefits.
File FTC Report: File a report with the Federal Trade Commission (FTC) by visiting IdentityTheft.gov. This action generates an official Identity Theft Report, which serves as important documentation when communicating with healthcare providers, insurers, and credit bureaus. The FTC also provides a personalized recovery plan.
Consider Police Report: Consider filing a police report with your local law enforcement agency. While local police may not directly investigate medical identity theft, a police report can provide additional official documentation that may be required by some organizations during the resolution process. Obtain a copy of this report for your records.
Place Fraud Alert/Freeze Credit: Place a fraud alert on your credit reports with one of the three major credit bureaus. This alert signals to lenders that they should verify your identity before extending new credit. For stronger protection, you can also initiate a credit freeze, which restricts access to your credit report entirely and can prevent new accounts from being opened in your name, including those for medical-related debt.
Dispute Inaccurate Information: Formally dispute any inaccurate information on your medical records or bills by following the specific dispute procedures of the provider or insurer, often requiring written communication and supporting documentation.