What is medical identity theft? A comprehensive guide & prevention tips

Medical identity theft is a type of identity theft where someone impersonates you to get medical care or equipment, buy prescription drugs, or file health insurance claims in your name. These scams can go undetected for years and have devastating effects, as identity thieves can:

• Rack up thousands of dollars in medical bills
• Limit your access to medical care or insurance benefits
• Land you in legal trouble
• Place false information in your medical records, leading to a life-or-death situation in an emergency

Medical identity theft can upend your finances and your life, often requiring significant time and money to resolve and making it one of the most destructive types of identity theft. This guide lends additional insight into this very real and very scary crime, lists red flags to watch out for, and offers tips to avoid becoming a victim of medical identity theft.

The prevalence of medical identity theft

Medical identity theft is on the rise as it’s lucrative for criminals and expensive for victims. Consider these statistics:

• In 2022, the Federal Trade Commission received 27,820 reports of medical identity theft (FTC CSN Data Book 2022)
• That represents a 309% increase since 2017, when the FTC received 6,800 reports (AARP)
• Medical identity theft costs victims an average of $13,500 in medical and legal fees (Ponemon Institute)
• Medicaid and Medicare fraud cost U.S. taxpayers more than $100 billion a year (CNBC)
• Medical records can be worth as much as $1,000 on the dark web. For comparison, Social Security numbers are worth around $1 and credit card numbers are worth $5 to $110 (Experian)
• Nearly 52 million patients’ medical records were exposed in data breaches in 2022 (NPR), and more than 70% of health care data breaches put patients at risk of identity theft (Fierce Healthcare)

Those statistics are alarming enough, but they probably don’t tell the whole story. No one knows how many medical ID theft cases go unrecognized and unreported each year, and it can be difficult to undo damages such as ruined credit, denied insurance coverage, exposed personal information, and falsified medical records that could cause life-threatening mistakes. 

Moreover, anyone can become a victim regardless of their social standing. Just look at these real-world cases:

• A Georgia woman received texts reminding her about appointments she didn’t make in a city she no longer lived. She dismissed them as spam – until she received a bill for $3,600 (NPR)
• A Florida man’s twin brother stole his identity to access more than $32,000 in medical benefits from Veteran’s Affairs – potentially causing the man to be denied insurance coverage (The Florida Times Union)
• A Utah mother nearly lost her four children when child protective services discovered that her newborn had tested positive for methamphetamines – but the woman didn’t have a newborn. A thief had used her name to give birth, and it was the thief’s child who had tested positive for the drug (ABC)
• A Texas woman faced drug charges after thieves used her identity to illegally obtain prescription drugs. The charges remained on her record for five years (KPRC)
• A woman’s insurance claim for a medical procedure was denied after another woman had stolen her identity to receive medical care (Florida Board of Governors Self Insurance Programs)

Thieves only need a few tidbits of personal information to perpetrate medical ID theft – your name, Social Security number, Medicare number, health insurance information, address, date of birth, or account login credentials – and they employ various tactics to steal your medical information, including phishing and smishing scams, social engineering, data breaches, and buying profiles from people-search sites. Protect yourself by understanding common risk factors and recognizing the warning signs of medical identity theft.

Risk factors and warning signs

Who is at risk

Everyone is at risk of medical identity theft, but some people are especially vulnerable, including:

• Senior citizens: Criminals often target older people who might not be as familiar with phishing, smishing, and other impersonation scams designed to steal personal information. In addition, scammers know that many seniors have Medicare and seek to make claims on the government health plan – known as Medicare fraud
• Veterans: Many veterans are enrolled in government programs such as TRICARE and receive VA benefits that are attractive to scammers
• People with disabilities: People with physical and developmental disabilities may be enrolled in Medicaid and other programs that scammers seek to exploit
• Minors: Minors do not typically monitor their credit reports, so medical identity thieves who target children can go undetected for years
• New mothers: Moms and their babies have a lot of doctor’s office visits throughout pregnancy, childbirth, and early childcare, creating more opportunities for criminals to obtain their personal information and medical information
• People with chronic and serious illnesses: Those who have chronic conditions such as diabetes and serious illnesses such as cancer tend to have multiple providers, procedures, and appointments – all opportunities for medical identity thieves to steal their personal information through scams and breaches
• Over-sharers: People who post personal information or even medical information on social media and other websites are at greater risk because they make it easier for scammers to find and steal their data
• Physicians and other health care professionals: Medical identity theft isn’t limited to patients. Doctors, hospitals, and clinics are also vulnerable when scammers use their medical identifiers to make it look like they provided medical care or ordered testing, equipment, or additional services. The fraudsters then commit Medicaid or Medicare fraud by filing claims for reimbursement

Most of these vulnerable groups share a common thread: they have frequent appointments and procedures, and they often have a health plan. The more you interact with the medical system, the greater your risk of medical identity theft, so be sure to familiarize yourself with common warning signs.

10 red flags that signal medical identity theft

1. Unexpected medical bills and insurance claims

If you get a bill for health care or equipment you didn’t receive, you may be a victim of medical identity theft. The same goes for insurance claims found on your health plan Explanation of Benefits statements (EOBs) – any unrecognized services are red flags.

2. Collection letters and calls

Be wary of phone calls and letters from medical debt collectors seeking reimbursement for unrecognized services or equipment. Scammers might have stolen your personal information to obtain unpaid medical services in your name.

3. Unrecognized medical texts, emails, and surveys

If you receive appointment or medical procedure reminders or requests to reschedule appointments you did not make, thieves might have stolen your identity. In another ruse, scammers will ask you to take a fake survey for a facility you didn’t receive treatment at to steal your personal information, Medicare number, or other health insurance information.

4. Incorrect information on medical records

Incorrect information on medical records could be a sign that a criminal has stolen your identity and placed their own information in your file. Falsified medical records could have fatal consequences, especially if a scammer replaces your blood type, pre-existing conditions, prescription drugs, or other critical medical information with their own.

5. Change of address confirmation

An unrequested change of address confirmation from your health insurance company or medical provider might mean a scammer has attempted to change your address so they could gain access to your health insurance benefits, medical services, or equipment.

6. Benefit limit notification

If you receive a notification from your health plan that you’ve reached your health insurance benefit limit – and you didn’t expect it – a thief might have stolen your health insurance information to get a medical procedure or other services in your name.

7. Denied medical claims

If your legitimate medical claims are denied due to reaching your insurance coverage limit or because of a pre-existing condition that you don’t have, it could be the work of scammers. The same goes for fraudulent claims you didn’t submit.

8. Unexpected prescription refill notices

Scammers could be behind refill notices for prescriptions you do not take, as criminals can steal your identity to illegally obtain prescription drugs in your name – which could lead to legal trouble for you.

9. Medical debt on your credit reports

Unrecognized medical debt and incorrect information listed on your credit reports could be the work of an identity thief who has stolen your personal information.

10. Data breaches

If your health insurance company, doctor’s office, hospital, clinic, or even your DME (Durable Medical Equipment) supplier was hacked or otherwise involved in a data breach, your medical information could be used to steal your identity.

Impact of medical identity theft on victims

Medical identity theft has serious financial, emotional, and health consequences, making it one of the most dangerous types of identity theft.

Financial impact of medical identity theft

Medical identity theft can take a heavy financial toll:

• Victims spend an average of $13,500 to resolve legal and medical issues
• Damaged credit ratings can affect your ability to get mortgages, car loans, credit cards, and other lines of credit
• You could lose your job if you’re labeled a drug user or criminal
• Unpaid medical bills – even illegitimate bills – could go to a debt collector
• It can take years to resolve damaged credit
• You could accidentally pay a scammer’s medical bill and be unable to recoup that cost

Stress, anxiety, and other emotional damage

Medical identity theft can also have severe emotional fallout. In fact, 87% of identity theft victims report negative feelings and emotions such as anxiety, anger, vulnerability, depression, embarrassment, and a sense of being violated – and 68% report physical problems such as sleeplessness and persistent aches and pains (Identity Theft Resource Center). If you’re a victim of medical identity theft, you may experience stress and anxiety over:

• Criminals having access to your personal information and medical records
• Thieves using your name to purchase medical services and equipment
• Collection companies that harass you for payments for services you never received
• Damaged credit ratings that prevent you from accessing credit lines
• Legal trouble and reputational damage if you’re erroneously charged with a crime or labeled as a drug user
• Child protection services investigating your household if a criminal falsifies your child’s medical records
• Getting misdiagnosed or improper treatment due to incorrect information on your medical record

Difficulty obtaining insurance coverage or other benefits

Victims of medical identity theft may have limited access to insurance coverage and other medical benefits when:

• Scammers have maxed out their insurance benefits and they can’t afford health care out-of-pocket
• Claims get denied due to falsified medical records and health insurance information
• They cannot get insurance due to false pre-existing conditions

Difficulty accessing or receiving necessary care and treatment

Medical identity theft victims can face barriers to getting quality medical care when:

• False medical records cause doctors to order an inappropriate – or even life-threatening – medical procedure
• A doctor’s office prescribes the wrong medications based on an incorrect medical record
• Insurers deny claims based on false medical information

The examples above underscore how crucial it is to protect your finances and your health by taking steps to avoid falling victim to medical identity theft.

Prevention tips for victims and potential victims of medical identity theft

1. Check Explanation of Benefits Statements for accuracy

When you receive medical care, your health insurance company will send a document called an Explanation of Benefits statement (EOB). This document shows how much your healthcare provider charged your insurance company, how much the health insurance provider paid, and how much, if any, you’re responsible for. Carefully review your EOBs to make sure you received every service, medical procedure, and equipment listed.

2. Regularly review medical records and bills

Request medical records, bills, and notices from your health care providers and medical equipment suppliers, then review these documents to verify accuracy and check for unrecognized services, charges, and other incorrect information.

Under HIPAA, you also have the right to request an accounting of disclosures, a document that details which entities your Protected Health Information (PHI) was shared with during your medical care.

3. Remove your personal information from people-search sites

Many people don’t realize how much of their personal information is already published on data broker and people-search websites. These sites are notorious for collecting private data about people into unauthorized reports. Anyone can purchase these reports and find your address, family relations, contact details, and much more sensitive information like your legal records, income level and credit score. All of these details can be used to access your medical accounts via brute force or social engineering and get medical treatment in your name. 

Unfortunately, people-search sites purposefully make it difficult to remove your information. The removal process is long and arduous, and there’s a good chance your information will be republished even if you do successfully remove it. The issue is compounded by the fact that there are more than a hundred people-search sites out there.

Onerep helps protect your personal data by removing it from 214 data broker and people-search sites. Our service automates all the work of submitting removal requests and verifying that your information is actually removed. Then, we continually monitor each site so if they republish your information, we immediately begin the removal process again.

4. Secure your identifying documents

Health insurance cards, Explanation of Benefits, medical bills, prescriptions, and other paperwork all contain medical and health insurance information that can be used to steal your identity. Thieves can also use non-medical documents such as Social Security cards, credit card statements, bank statements, driver’s licenses, and paycheck stubs that contain personal information to perpetrate medical identity theft.

• Securely store personally identifying documents in your home and shred any other paperwork you don’t need
• Never send photos or copies of your identifying documents via text or email, including your health insurance card, Social Security card, driver’s license, and any other paperwork that lists personal information
• Use a marker to black out any identifying medical information on prescription bottles before throwing them away
• Retrieve your snail mail as soon as possible and consider a locking mailbox
• Always secure purses, wallets, phones, and other devices when in public areas

Keep in mind that medical identity theft isn’t only perpetrated by strangers. In some cases, people impersonate their relatives to access medical services, so keep your identifying documents, Social Security number, and health insurance records under lock and key even at home.

5. Monitor your credit reports

Keep a watchful eye on your credit reports and look for any unexpected credit lines or other suspicious activity. You can request a free credit report annually at AnnualCreditReport.com. Note that at the time of this writing, all three major credit reporting bureaus – Equifax, Experian, and TransUnion – are offering free credit reports weekly.

6. Lock down online accounts

Use strong passwords and two-factor authentication on all your online accounts, not just your medical accounts, to prevent unauthorized access to your personally identifiable medical information.

7. Beware phishing and smishing scams

Scammers often trick victims into sharing their medical information with phishing and smishing scams. For example, scammers will impersonate a hospital and ask you to complete a patient satisfaction survey. During the survey, they might ask for your Medicare number, Social Security number, or other health insurance information. Never take surveys if you’re not familiar with the facility or the treatment they say you received, and never click text or email links. Always verify communications directly with your provider.

8. Don’t respond to marketing messages

Watch out for companies that offer “free” medical services and equipment with “no out of pocket expenses.” Don’t respond to television, radio, newspaper, or online ads, and walk away from anyone who approaches you about medical services in a public place.

9. Avoid oversharing on social media

Social media is a hotspot for scammers who can stalk your profile and piece together enough sensitive information to steal your identity. Avoid sharing any personally identifiable and medical information on social media and other public-facing websites, don’t post about any medical procedure you’ve had, and be wary of social engineering tactics and other suspicious activity designed to trick you into giving up personal data.

10. Never give out important numbers without verification

Do not give others your Medicare, Medicaid, Social Security, or health insurance card numbers without first verifying who they are, why they need it, and how they will protect it. If you lose your insurance card, request a card with a new number – not just an identical replacement – to thwart identity thieves who might have stolen your original card.

Recent incidents: did recent healthcare data breaches affect you?

Data breaches are among the most common sources of medical identity theft, so it’s a good idea to keep informed about the latest breaches to see if you were affected. Here are some of the largest and most recent health care data breaches:

• HCA Healthcare (2023): Hackers targeted an HCA Healthcare external storage location to steal the records of 11 million patients spanning 20 U.S. states. The records included patient names, addresses, email addresses, phone numbers, birthdays, and upcoming appointment dates, prompting HCA to warn patients to contact the company before paying any bills to help prevent medical identity theft.
• Managed Care of North America (2023): More than 9 million dental patient records were compromised and held for a $10 million ransom before hackers made the records available for download. The records contained basic contact information as well as Social Security, driver’s license, Medicare, Medicaid, and health insurance numbers – plus billing and medical care histories.
• PharMerica (2023): Nearly 6 million patient records were stolen after hackers infiltrated the pharmacy giant’s network. The records included both personal and protected health information such as medical diagnoses, Social Security numbers, and prescription medications.
• Regal Medical Group (2022): Malware exposed over 3.3 million patient records, including lab results, medical treatment, prescription drugs, and health insurance numbers. 
• Cerebral (2023): Over 3.1 million users were affected when tracking pixels installed on the mental health startup’s website exposed their data to third-party platforms and subcontractors.

You can also visit the U.S. Department of Health and Human Services website for a list of all healthcare data breaches over the past 24 months that are currently under investigation as well as an archived list of resolved data breaches.

It’s difficult to determine the full impact of these data breaches because it could be months or even years before you realize you’re a victim of medical identity theft. That said, the federal government is responding, as the FTC has proposed an amendment to HIPAA laws that, if passed, would strengthen and modernize the Health Breach Notification Rule. The federal law extends reporting responsibility to health apps and other technologies that aren’t currently subject to HIPAA regulations.

Legal rights and recourse for victims

Legal rights

The FTC states that identity theft victims have the right to:

• Create an identity theft report
• Place an initial alert on your credit report and extend that to 7 years
• Obtain free credit reports
• Dispute and block fraudulent and inaccurate information on your credit report
• Obtain copies of any documents related to your medical identity theft
• Stop debt collectors from contacting you

In most states, you’re not liable for debt incurred on fraudulent new accounts opened in your name – but it’s more difficult to avoid fraudulent medical debt on existing accounts. While the Fair Credit Reporting Act limits monetary losses on credit fraud in financial identity theft cases, there are no such protections for medical identity fraud, according to The Wall Street Journal.

Each case is independent from the next: your health insurance company or provider may work with you, or they may expect you to pay fees. Ultimately, it’s up to victims to prove they’re not responsible for medical debt, so you might need to seek legal counsel to avoid paying for fraudulent claims and medical charges.

You can also sue the thief, provided you can find them, and federal law grants the rights to be:

• Protected from the accused
• Informed of hearings
• Provided full and timely restitution

Steps to take

Here’s what to do if you believe you’re a victim of medical identity theft.

1. File an FTC identity theft report at IdentityTheft.gov

Visit IdentityTheft.gov and report the medical ID theft, then follow the steps to create a recovery plan. On that page, the FTC offers guidelines to recover from financial identity theft plus additional steps specific to medical identity theft. If you suspect Medicaid or Medicare fraud, report it to OIG’s fraud hotline here.

2. Request and review all medical records

Contact all healthcare providers, laboratories, hospitals, clinics, pharmacies, and your health insurance provider to request all medical records, medical bills, EOBs, and accounting of disclosures. Inform providers and your health insurance company of fraudulent claims and request they be corrected or removed. Request a confirmation letter for your records.

3. Place a fraud alert on your credit

Contact all three credit reporting bureaus and place an initial alert on your credit. You can also extend the identity fraud alert to seven years. Report fraudulent activity and request it be removed from your credit report. Here are links to each bureau’s fraud department:

• Experian
• Equifax
• TransUnion

4. File a police report

It’s a good idea to file a report with local law enforcement to document the medical identity theft, which could be useful for removing fraudulent charges and prosecuting the perpetrator.

5. Contact identity theft protection and credit monitoring services

If you have an identity theft protection plan, contact the vendor and follow their guidance. Some homeowners and auto insurance policies bundle identity theft protection into their policies, so even if you haven’t formally signed up for a service, check with your health insurance provider to see if you’re already covered for damages and legal fees. It’s also a good idea to sign up for credit monitoring services.

6. Change account passwords

If you don’t know how thieves accessed your medical information, now is a good time to change passwords on any accounts and apps that store sensitive data. Use strong passwords and set up two-factor authentication, if available, to keep prying eyes out of your online accounts.

7. Speak with an attorney

A knowledgeable attorney can help you navigate the recovery process, work on your behalf to stop collections and remove fraudulent claims and charges, and sue identity thieves for damages. Legal help is particularly important if your insurance company or health care provider refuses to work with you.

If you’re a healthcare provider…

The FTC offers guidance for healthcare providers and insurance companies whose patients report medical identity theft, including:

• Investigate the allegation, verify the medical identity theft, and notify anyone who accessed the patient’s records
• Do not report fraudulent medical debt to credit bureaus
• Review your data security and privacy practices to ensure HIPAA compliance, even if you’re not responsible for the medical ID theft
• Report any data breach to HHS
• Report Medicare fraud to OIG’s fraud hotline here
• Advice patients to file a complaint, notify their health insurance provider, and to take advantage of their HIPAA rights

Medical identity theft is a growing concern as criminals develop more sophisticated ways to steal personal information and use it to obtain medical treatment or cash in on reimbursements. Understand the warning signs, take preemptive steps to thwart scammers, and know how to respond to avoid becoming a victim and minimize the damage caused by medical identity theft.