Guard Against the Growing Threat of Medical Identity Theft

The theft of personal medical information can cause both financial and health-related hardships to victims and our health system.

Female doctor showing a digital tablet to a senior male patient in an examination room

by NEA Member Benefits

Key takeaways

  • Medical identity theft costs victims an average of $13,500 to resolve.
  • It has been called the privacy crime that can kill because it alters protected health information.
  • Guarding against medical ID theft requires a lot of effort because health records are scattered.
  • Complete stolen medical records can be sold for up to $1,000 on the dark web.

If you use credit cards, you’ve probably had to contend with a fraudulent charge, or two or three, at some point. This is a form of identity theft because a criminal has pretended to be you and gone on a shopping spree using your credit card.

But there is a much more insidious and dangerous type of criminal activity that is among the fastest growing ways to throw someone’s life into turmoil—medical identity theft. In medical ID theft, in addition to obtaining your Social Security number, name, date of birth, and other pieces of what’s called personally identifiable information (PII), a thief gets your healthcare data and medical and prescription history—what’s called your protected health information (PHI). This can be used to order medical treatment, services or goods in your name, and charge it back to you and your health insurer.

PHI is highly valuable because it can be used to obtain pharmaceuticals, commit insurance fraud and get medical care through Medicaid and Medicare.

Dangerous to your wealth and your health

The fiscal impact of medical identity theft is considerable, generating losses to the health industry of more than $30 billion each year. However, patients also sustain financial consequences of fraud, having to pay an average of $13,500 to resolve these crimes.*

Being on the hook for thousands of dollars in fraudulent medical charges may not even be the worst aspect of this crime. Medical ID theft can place erroneous information into your medical records, or an entirely new fictitious medical file may be opened in your name. Your medical history could then contain the wrong blood type, or incorrect allergy information. This may become a permanent part of your medical history resulting in misdiagnoses, mistreatments or delays in treatments and incorrect prescriptions. It’s why the California Department of Justice stated in a 2013 report that “medical identity theft has rightly been called the privacy crime that can kill.”

A lucrative crime of convenience

One reason medical ID theft is so lucrative is that it often takes a long time to uncover. Most people are not actively checking the accuracy of their medical records. This allows thieves to work the system much longer than the typical personal identity theft.

Keeping tabs on medical information can be difficult because medical records are scattered far and wide. Your information is in the file folders, hard drives and cloud databases of every doctor, hospital, clinic, lab, pharmacy, outpatient facility and surgical center you’ve ever visited. The FBI has noted that the data networks of health care providers generally are not as secure as those in the financial and retail areas.

Stolen PII and PHI is sold on an online black market called the dark web. According to Experian, one of the three major credit bureaus, a single Social Security number goes for just $1 and a driver’s license sells for $20. But complete medical records can command prices up to $1,000.

Signs of medical ID theft

If you experience any of the following, you may be a medical ID theft victim:

  • Unexpected medical bills from a doctor or hospital you’ve never visited
  • Medical bills in someone else’s name
  • Phone calls or letters from a collection agency about overdue medical charges
  • A letter or email from your insurer confirming an address change you did not request
  • Denial of medical insurance
  • Notification from a doctor or medical facility of a data breach.

How to protect yourself

To protect your medical information, you must be proactive. Recognize that it will take more effort than simply reviewing a monthly credit card statement. Here are a few things you can do to help prevent medical ID theft and to minimize the damage if it happens:

  • Protect your Social Security number. It’s a critical piece of information that can be used to steal your identity for medical and other purposes.
  • Review every medical notice and communication. Carefully read all letters and emails from insurers, doctors, hospitals and other medical providers. Review every Explanation of Benefits (EOB) notice to confirm names, addresses, procedures and dates. Immediately report any discrepancies or anything you don’t understand.
  • Share PII and PHI responsibly. Provide your personal information only to trusted providers. Never provide information over the phone, through email links or to a stranger who knocks on your door.
  • Guard your health insurance card and account number. Treat it like a credit card, which means, don’t loan it to anyone—even a family member. About a third of all medical ID thefts occur because the victim knowingly shared their medical credentials with a friend or family member.
  • Shred documents and manage passwords. Shred any unneeded documents with sensitive information, such as medical diagnoses, prescription drugs and account numbers. Use strong passwords and regularly change your passwords for online medical and insurance accounts. Create a different password for every account and use a password management app to keep track of them.
  • Monitor your credit reports. Review your credit reports at least annually. You can get a free report from each of the three major credit bureaus—Experian, TransUnion and Equifax—once a year at Look for unpaid medical bills. At the same time, you can ask your insurers for a listing of benefits paid out in your name. Some insurers may make this information available online.
  • Keep accurate records. Maintain records of all doctors’ appointments and medical procedures. This can help you dispute errors and fraudulent claims.
  • Avoid public health fairs. Beware of “free” screenings or tests in storefront businesses if they require your health insurance or personal information.
  • Move quickly on any breaches. If you receive a breach notification from a provider, follow their instructions immediately. If you spot something suspicious in one of your reviews, report the problem to your insurer and providers right away.

Be vigilant

The migration to electronic health records has contributed to the rise in medical ID thefts. But despite the financial and physical dangers, most consumers are not taking action to protect their medical information. Make a commitment to buck that trend and get yourself out in front of this growing problem.

* Medical Identity Fraud Alliance. Fifth Annual Study on Medical Identity Theft, February 2015.