What Is Medical Identity Theft?

Understanding medical identity theft

Medical identity theft occurs when someone fraudulently obtains medical care under someone else's identity by using their personal information. They could use your Social Security number (SSN), Medicare number or health insurance information.

If you’re a victim of medical identity theft, you can face several issues. First, it creates fraudulent medical bills that will eventually go to collections and damage your credit. On top of that, you might not be able to use your own medical insurance. For example, if the criminal uses your free annual check-up, you may be denied coverage when you try to use it yourself.

Worst of all, it can put incorrect medical information in your medical records. Your file will now include the criminal’s medical information, including their test results and procedures. When you need care, inaccurate medical records can lead to errors and harmful consequences.

How medical theft occurs

Fraudsters can obtain your information in several ways, including “shoulder surfing” (looking over your shoulder in the waiting room), phishing scams and data breaches.

Kaveh Ranjbar, CEO at Whisper Security, explained that while physical theft of insurance cards might still occur, modern thieves “exploit” the infrastructure. Thieves target exposed billing portals, third-party scheduling apps and cloud-storage buckets.

How to protect your medical information

Consider subscribing to a top identity theft protection service that monitors databases and the dark web for breaches. You can also take these four steps to prevent medical identity theft.

1. Protect your personal data

One way scammers get your personal information is by looking over your shoulder when you’re filling out forms at the doctor’s office. When you are completing your paperwork, be aware of your surroundings and shield your info from those around you.

Ranjbar advised being “extremely cautious” with digital intake forms received via SMS or email. “Verify the domain name matches the provider exactly before entering sensitive data,” he said.

Also, when you hand back your information, don’t just leave it on the receptionist's desk. Make sure to hand it directly to someone who can keep it safe.

2. Secure your documents

Medical paperwork carries a lot of personal information. Keep these documents in a safe place in your home and shred them when it’s time to dispose of them. If you have them digitally, store them on a password-protected hard drive or with a secure cloud storage service.

Any documents that list your name, address, date of birth, Social Security number or medical insurance information should be protected. Examples include:

• Statements or bills from your doctor’s office
• Test results
• Prescription labels
• Appointment reminders
• Explanation of benefits
• Correspondence with your health insurance company
• Any other insurance documents that contain personal information

3. Enable 2-factor authentication

If your medical provider offers 2-factor authentication, such as sending a code via text or email to log in, you should use it. Multi-factor authentication (MFA) adds an extra layer of protection because a criminal would need your username, password and access to your phone or email.

Ranjbar said, “Treat your medical login credentials with the same rigor as your banking tools. Enable multifactor authentication on every patient portal that offers it — this is the single most effective barrier against automated attacks.”

4. Practice online and phone safety

Anytime you provide your medical information, such as your insurance card, make sure it’s with someone you trust to avoid phishing scams. Phishing is when a scammer contacts you through a method that seems legitimate and asks for personal information.

For instance, a scammer might pretend to be your doctor’s office, calling to get your insurance information. You think the call is legitimate, so you read them the information off your insurance card.

» READ MORE: Phishing scams and online safety

The same can also happen via email. You may receive an email that looks like it’s from your doctor asking you to click a link to share your personal information. You might think it’s a legitimate patient portal, but you’re really handing all your most sensitive data to a criminal.

Always ensure requests are legitimate by contacting your medical provider or insurance directly before sharing your personal data. Don’t give your information over the phone unless you were the one to initiate the call. If someone calls and asks for your information, hang up and call back using the officially listed phone number.

Recognizing signs of medical identity theft

Medical identity theft can be difficult to spot. You may not realize it has happened until unpaid medical invoices appear on your credit report. But stopping medical identity theft as soon as possible is important.

You can stay on top of medical identity theft with these actions:

• Review your explanation of benefits: This document lists the patient, doctor, date of appointment and procedure that was billed to your medical insurance. If you don’t recognise the appointment, contact your doctor.
• Monitor your patient portals: When you’re logged in, look for questionable test results or appointments. This could be someone else using your information.
• Don’t ignore calls from a doctor’s office you don’t recognize: If you get a call from an unfamiliar doctor’s office, it could be a sign of fraud. Ask them how they got your info.
• Review receipts and medical bills: Ensure it’s not a fake invoice and that it’s for medical treatment you received. If you don’t recognize it, call and get more information.
• Question denial of coverage: When you’re denied routine coverage, such as for your annual physical, it could be because someone else used it.
• Look for deductible inconsistencies: A scammer using your health insurance means they’ll be using your deductible. If you hit your deductible suspiciously early, follow up and make sure all the costs were legitimate.
• A debt collector contacts you about a medical debt you don’t owe: If you get a call from collections about a surprise medical debt, it’s time to take action. Get as much information as you can from the debt collector and pull your credit. Dispute the charge on your credit report and investigate your medical records to ensure that all the information is correct.

» DISCOVER: How to check for identity theft

Steps to take if you suspect identity theft

Once you suspect you’ve been a victim of identity theft, it’s crucial to take action immediately.

“Speed is critical. … Unlike financial theft, medical theft can contaminate your health history — wrong blood type, wrong allergies — which can be life-threatening in an emergency. You must lock the record,” Ranjbar said.

You can report any type of identity theft to IdentityTheft.gov and find assistance for all types of identity theft, including medical.

1. Get your medical records

Contact all your doctors and specialists and request your medical records. You have a legal right to receive your records. Also, contact any doctors that you have reason to believe the fraudster may have used.

For example, perhaps you received an unexpected bill, or there’s medical debt on your credit report from a procedure you didn’t undergo.

You may be able to access your records through your online patient portal. If not, contact the office directly and ask them the best way to receive this information.

2. Report any errors to your providers

If you spot errors in your medical records, let your providers know so they can correct them. You don’t want incorrect info to affect the care you receive in the future.

Ranjbar suggested submitting a formal, written request to the provider detailing the errors and including a copy of the police report or an identity theft affidavit. According to Ranjbar, you have a legal right (under HIPAA in the U.S.) to request corrections.

“Demand that they remove the fraudulent data from your 'active' file to ensure it doesn't impact future care," he said.

Also, ask your provider if they shared your medical information with anyone else. If they have, follow that thread and correct the information with as many providers and agencies as possible.

3. Notify your health insurance company

You’ll need to notify your health insurance company of the fraud. Call customer service and ask for the fraud department. Follow their protocols for recovery, but expect to send in proof of theft, including the report you filed with identitytheft.gov.

If someone signed up for health insurance through the Health Insurance Marketplace, you can contact the Marketplace at 800-318-2596.

4. Dispute errors on your credit report

If the scammer has unpaid medical bills, they will eventually appear on your credit report. When this happens, dispute each instance of fraud with the credit bureaus so they can remove collections from your credit report. You will have to file reports at each of the three bureaus.

You can initiate this process online with each credit bureau, and they have 30 days to investigate the report.