Medical identity theft: a guide to what it is and how to avoid it

Medical identity theft is at an all-time high. Though telemedicine has been an incredible resource while the COVID-19 pandemic kept us all at home, it has also been exploited by fraudsters to steal medical reports and sell them on the dark web. That’s why, in this guide, we’re going to discuss how to prevent medical identity theft, what warning signs to look out for, and how to report it.

What is medical identity theft?

Medical identity theft occurs when someone leverages your personal information (such as your name, Social Security number, or Medicare number) to buy drugs, obtain medical care, or submit fake medical bills to Medicare in your name. As you can imagine, this is a highly disruptive crime that can ruin your credit, cost you money, and lead to incorrect information on your medical records (which could be potentially life-threatening).

What is not medical identity theft?

It’s important to note that medical ID theft cases do not include instances where medical records are altered to cover up medical errors, patients’ credit card details are stolen for personal use, or cases of family fraud where people willingly let their relatives impersonate them for medical care.

Medical ID theft risk factors

While anyone can become a target of medical ID theft, there are three factors that could put you at higher risk. They include:

• Age: Because medical ID theft often involves social engineering to access a Medicare number or Social Security number, the elderly and minors are at heightened risk. They are more susceptible to online phishing scams and phone fraud than other groups.
• Digital footprint: Medical identity thieves are very good at aggregating personal information found online and pairing it with other health data they’ve found, such as dates of birth and addresses. The more information that exists about you online, the higher the risk of medical ID theft. People-search sites, as we’ll cover later, are a big part of this problem.
• Interaction with healthcare system: Whenever you interact with the healthcare system, new personal records are generated. This can increase your odds of ending up in a data breach, meaning people with chronic medical conditions, new mothers, and surgery patients are at an increased risk. In 2017, there were around 300 medical data breaches, accounting for more than a quarter of all data breaches in the United States. This led to 5 million compromised records.

How does medical identity theft happen?

If you’re wondering why the healthcare industry is so heavily targeted by fraudsters, just look at the value of the personal information they can get their hands on. If a cybercriminal accesses your medical record, they can sell it on the dark web for a significant amount of money – or leverage the information within it to commit medical identity fraud themselves.

Here are just a few ways medical identity theft happens:

• Data Breaches: Data breaches account for a lot of compromised records in medical identity theft statistics. The healthcare industry experiences more breaches than any other industry, and breaches have risen by 50% from 2017 to 2019.
• Online impersonation: Today, cybercriminals only need login credentials to impersonate legitimate patients on their online medical accounts. These can be leaked in data breaches, purchased on the dark web, or stolen from people through scams and social engineering. Once they can access your accounts, they can steal more personal information and begin using it for financial gain.
• People-search sites: A lot of people don’t realize how much of their personal information is already published online. People-search sites are notorious for collecting this information in unauthorized reports. Anyone can purchase these reports and find your address, family relations, contact numbers, and sometimes much more sensitive information like your Social Security number. All of this information can be used to access medical accounts via brute force or social engineering. 

What are the consequences?

Medical identity theft can have a pretty serious effect on your financial and physical well-being. Here are the most impactful consequences of being a victim of medical ID theft:

• Lowered credit: When someone gets medical services or equipment in your name, charges can pile up undetected and unpaid. This can create derogatory marks on your credit report, lowering your credit score.
• Fraudulent charges: An Experian report found that, in 2017, 65% of medical ID theft victims had to pay off around $13,500 in fraudulent or fake medical bills.
• Legal trouble: The same report also found that some victims were falsely accused of crimes committed by the ID thief, such as illegally procuring prescription drugs.
• Erroneous medical information: When someone else gets medical attention under your name, their medical needs may be logged in your records. If they have unique conditions, you may receive the wrong type of care.

How do I detect medical identity theft?

The tricky thing about medical identity theft cases is that there’s no guarantee that you’ll be able to identify it if you don’t know where to look. In some cases, you’ll receive suspicious medical and billing statements, but other times, you’ll need to conduct your own search.

Here are a few signs of medical identity theft:

• Mismatched EOB: After treatment, your health plan will send you an Explanation of Benefits (EOB) or Medicare Summary Notice. Read these: does the provider, date, or service match the care that you’ve received?
• Mysterious charges: Have you received a charge for medical equipment or medical services that you never authorized? Are the medical dates on these charges unfamiliar?
• Strange notices: Have you received collection notices for medical equipment or services that you never requested? Has your health provider said you’ve reached your benefits limit?
• Suspicious credit report activity: Does your credit report indicate that you haven’t paid medical bills for services that you’ve never received?

How do I report medical identity theft?

If you suspect that you’ve been a victim of medical identity theft, contact your medical provider and then file a report to the Office of Inspector General (OIG) and Federal Trade Commission (FTC):

• Medical Provider: Ask your personal medical provider to look into the matter.
• OIG Medicare Fraud Report: File an online report or call 1-800-447-8477.
• FTC Medicare Fraud Report: File an online report or call 1-877-438-4338.

We also recommend that you request a copy of your medical records as soon as possible. In some cases, your request will be denied in an attempt to protect the identity thief’s medical information. Don’t let that stop you – by law, you’re allowed to see what’s in your medical file. You can file an appeal with the U.S. Department of Health and Human Services to do just that.

Once you have your report, check for new erroneous information. If you see any, you can file a medical record correction to the FTC. You can also request an “accounting of disclosures” report from each of your health plans and medical providers. This will show you who received copies of your records from the provider.

How do I prevent medical identity theft?

While there are some promising initiatives starting to take shape in the healthcare industry, such as the Know Your Patient process, it’s still important for patients to protect themselves. Here are a few things you can do now to prevent medical identity theft in the future:

• Guard Your Medicare Number and SSN: Keep your Medicare number and your Social Security number in a secure location. This information can be easily abused by fraudsters to steal your identity and money. 
• Secure your accounts: Beyond using strong passwords, you should lock down your online medical accounts with two-factor authentication. This is your last line of defense – if someone gets your credentials, they’ll still be locked out of the account unless they can provide a temporary passcode. This passcode is generated by an authenticator app or texted to your phone. Unauthorized two-factor notifications will key you into suspicious activity and keep criminals out of your account. 
• Resist social engineering: Common medical identity theft fraud schemes rely on tricking people into giving away their own Medicare numbers. If you’re approached or called by someone claiming that they need your Medicare number to conduct a survey, they’re lying. Just hang up or walk away. Also, understand that no reputable organization will call you and ask for highly sensitive information. 
• Opt out of people-search sites: As we mentioned earlier, people-search sites store a large amount of information on adults. This information can be easily used by fraudsters to commit more serious crimes. While these sites are notoriously tricky to opt out of, the OneRep privacy protection tool offers automatic removal of your data from 199 people-search sites.

To wrap it up…

Safeguarding your online privacy is key to protecting yourself from identity theft. OneRep is here to help. Check out our plans to choose the protection that suits you best, and sign up for a free trial to start minimizing your vulnerability.