All types of identity theft are a pain, but none more so than medical identity theft. If a criminal steals your personal information for their medical use, it could mean not only that your credit gets ruined, but also that your life is threatened by false medical records. That’s a worst-case scenario. Yet, it doesn’t hurt to be prepared, especially since medical identity theft is becoming more common. A study in the Journal of the American Medical Association showed that between 2010 and 2017, the number of medical ID theft cases rose almost every single year.
Table of Contents
What is medical identity theft?
Medical identity theft occurs when someone uses your personal info for medical care or medical insurance claims. This can seriously harm your credit, alter your personal medical records, mess up your insurance policy, and cause you major embarrassment. It can also lead to higher out-of-pocket costs for the medical procedures that you need.
Medical identity theft statistics
- 27% of data breaches were related to medical records in 2017.
- 65% of victims needed almost $13,500to pay off fraudulent bills.
- Of victims studied,3% lost their jobs.
- 23% purposely gave their healthcare info to someone they knew to help them out.
- Family members committed 24% of medical identity theft without their family’s knowledge.
- Only 10% of victims were completely satisfied with how their situation resolved.
- 30% of victims had no idea when the identity theft occurred.
How does medical identity theft happen?
For this type of identity theft to occur, thieves need access to your personal info. These are just a few of the ways they can steal your information for medical identity theft:
Physical records or insurance cards
For the most part, people are very careful with their medical and insurance records. Unfortunately, when patients or their healthcare providers are negligent, thieves can steal personally identifying medical info.
Electronic Health Records (EHRs)
Almost every healthcare worker in a hospital can access patient records. If any of them have ill-intent, they could simply take your records while they work.
Large medical databases are susceptible to hackers. Criminals have good reasons to target medical records, too – they fetch a high price on the black market. Through various methods of online identity theft, thieves will break into secure databases and steal thousands of records.
It’s coming from inside the hospital
One in five healthcare workers say your personal data is worth between $500 and $1,000, says a poll.
Another 24 percent know someone at work who’s selling their patients’ information, according to solutions company Accenture.
“Health organizations are in the throes of a cyber war that is being undermined by their own workforce,” says John Schoew, leader of Accenture’s North American health and public service security practice. “With sensitive data a part of the job for millions of health workers, organizations must foster a cyberculture that addresses these deeply rooted issues so that employees become part of the fight, not a weak link.”
And that’s just the most egregious of cybersecurity flaws in the healthcare industry.
Healthcare cyber warfare
Hospitals and doctor’s offices had to spend $12.5 million each, on average, last year. Employees selling confidential information is arguably the most malicious mistake made. But, there are many others that put you at risk.
Eighty-eight percent of healthcare workers are trained not to hand write their username and password credentials. And if they do, avoid leaving them next to work computers. However, 17 percent still do. Even worse, those who frequently receive cybersecurity training are more likely to. A quarter (24 percent) of regularly trained healthcare workers make that mistake.
Those are just problems from inside the healthcare industry. Patients still need to be concerned with outside threats.
McAfee, a cybersecurity company tracks more than 478 new cyber threats per minute, according to its latest threats report. The healthcare industry experienced a 211 percent increase in cybersecurity incidents last year alone.
Weak medical software, and lack of security efforts contribute to incidents in the healthcare industry, McAfee says.
“Healthcare is a valuable target for cybercriminals who have set aside ethics in favor of profits,” says Christiaan Beek, McAfee lead scientist and senior principal engineer. “Both health care organizations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices.”
But, where is medical identity theft most often to happen?
The most vulnerable
In 2016, there were 16 million patient records stolen in the U.S., according to a study published in the American Journal of Managed Care(AJMC).
Medical education, pediatric hospitals and large hospitals — with more than 400 beds — experience more data breaches, than privately owned, for-profit hospitals, the study says. There were 215 data breaches in 185 urgent and acute care clinics, that affected 500 or more people, AJMC’s study says.
Hospitals with data breaches versus those without
This shows how frequently some hospitals are hacked.
- Teaching hospitals: 16 percent with a breach vs. only 3 percent without a breach
- Pediatric hospitals: 6 percent with a breach vs. 2 percent without a breach
- Larger hospitals: 26 percent with a breach vs. 10 percent without a breach
- Private for-profit hospitals: Only 15 percent vs. 22 percent without a breach
The use of electronic health records contributes to 19 data breaches, affecting 44,805 people. Lost or stolen laptops from hospitals contribute to more than double the incidents, with 51 data breaches that affected 380,699 people.
Throughout the 7-year long study, researchers noted that hospitals spent more money updating their electronic health records systems. However, hospitals neglected to invest in increasing cybersecurity efforts. They also noted that hackers shifted interests from selling data, to threatening to shut down online systems in hospitals by holding data for ransom.
Which is interesting. As McAfee has pointed out, Ransomware cases increased by almost 60 percent last year.
How to know if you are a victim of medical identity theft
If someone stole your medical information, find out as soon as possible. Keep an eye out for these signs:
Bills for medical services you didn’t receive
If a bill shows up in your mailbox for a medical service you never actually received, then someone may have used your insurance for their own medical care.
Incorrect info on your Electronic Health Record (EHR)
Your doctor keeps an EHR with all of your health information on it. If the doctor mentions something on the EHR that you know is wrong, it’s possible someone used your insurance for their own treatment.
Maxed out policy that doesn’t make sense
Say you’ve only had a few medical appointments this year. Then you get a call from your insurance company saying that your plan is maxed out! Before you blame the company, find out if someone else used your plan.
Calls about medical debt you don’t owe
If you receive a call about paying your medical debt when you know you don’t owe any medical debt, an identity thief may have gotten procedures in your name.
Unfamiliar collection notice on your credit report
In the same vein as collection calls, a collection notice on your credit report for a medical debt you never incurred is a sign of medical identity theft.
Denial of insurance because of a condition you don’t have
When you try to get insurance, companies will review any preexisting conditions. If you are denied because of a disease or condition you aren’t afflicted with, an identity thief could have used your name for coverage.
Medical identity theft cases
Just in case you needed solid evidence of how bad medical ID theft really is, here are some stories that made the news:
Drugs on someone else’s dime
In 2008, someone stole Deborah Ford’s purse. In 2010, she heard about a warrant out for her arrest for something she had never done. Someone used Ford’s info for fake prescriptions to get 1,710 codeine and hydrocodone pills. The charge was on Ford’s record for 5 years.
A liver transplant on a different policy
Amira Avendano-Hernandez couldn’t afford a new kidney. She decided to buy someone’s SSN on the black market and get it anyway. The victim had no idea that her identity was being used by someone else until she was contacted by authorities.
The baby that wasn’t hers
A baby was born in a Utah hospital and tested positive for methamphetamine, alerting Child Protective Services. CPS contacted Anndorie Cromar, mother of four. They told her they knew about her drug addiction and all four of her kids – plus this new baby – were in danger. Cromar hadn’t given birth in years. Finally, she found out that the drug-addicted mother had used her stolen driver’s license to commit medical identity theft.
Bad credit, worse allergies
Ronnie Bogle is allergic to penicillin. His brother Gary, who stole Ronnie’s medical identity, is not. If he required emergency treatment and was treated with Gary’s info on his record, penicillin could have killed him. Luckily, this didn’t happen. But Ronnie is still fighting over his records with multiple hospitals.
Blood donation denial
Nikki Gordon wanted to donate blood at her high school’s blood drive. Turns out, the 17-year-old couldn’t donate because her records said she tested positive for AIDS. Gordon was positive this was false. After her initial surprise, she discovered that someone in California was using her Social Security number for medical treatment.
Even medical devices aren’t scam-free
If you know someone who has a pacemaker, they’ve probably been hacked.
Just because you’re not on the internet doesn’t mean that you can’t get hacked. Security firm WhiteScope says there are more than 8,000 existing security flaws from four different pacemaker manufacturers. This massive issue comes from third-party programmers allowing outdated software vulnerabilities instead of regularly updating their systems to protect users against scammers.
The study found that in all cases, programmers had non-encrypted file systems with removable media. This makes it easy and quick for scammers to hack into pacemaker programs to steal data.
Along with that, none of the systems require physician approval to update or change pacemaker information. That means anyone can hack into pacemaker programs and manipulate data without any sort of doctor authentication.
Imagine if someone could open your phone without a passcode or log into your computer without a password — and we’re talking about your heart here, not just your photo collection.
“Pacemaker systems are ‘system-of-systems,’” WhiteScope says. “There are essentially four components to modern pacemaker system deployments: the pacemaker devices, pacemaker programmers, home monitoring systems, and the supporting/update infrastructure. All components are vital to the safe functioning of the pacemaker system.”
The report says the Food and Drug Administration has attempted to streamline updates but all programmers they studied had outdated software in need of major updates. One vendor alone had 3,700 vulnerabilities. In two separate instances, WhiteScope says they found actual non-encrypted personal information of patients in their findings, including Social Security numbers, full names, and medical data. The study says there is no vendor that is better than the others; they’re all bad.
This isn’t the first time pacemakers and other medical devices have had their security flaws exposed. This study names others as far back as a decade ago that detail how a lack in security was a threat to patient safety.
Unfortunately, nothing has changed to make these medical devices safer, even as we’ve all become more reliant and comfortable using digital systems and identity theft risks have grown exponentially.
Medical data keeps getting stolen
Medical hacks are nothing new. The more technology develops to make obtaining our personal medical data more accessible for us, the easier it will be for hackers to steal it.
A quarter of Americans have had their medical data stolen, and one-third of those hacks have happened inside the hospital. Like the pacemakers, if doctors and other health care providers don’t make drastic changes to how their systems are built and maintained, this will continue to happen. And the more it happens, the more financial loss we suffer.
It’s not just medical data, though. All our personal information is prone to theft regardless of where it is stored. Even your money is liable to get stolen straight from the bank these days.
More than half of Americans have been a victim of identity theft or know someone who has been a victim. Even with how common it is, Americans still don’t think they will be a victim — half don’t take any sort of precautions to protect themselves from hacks.
Unfortunately, companies aren’t looking to fix this anytime soon. Businesses would rather beef up the security measures they can see — the physical ones — rather than the ones they can’t. Many companies know that cyber attacks are coming, but very few are doing anything about it. Just like pacemaker manufacturers and programmers, companies still aren’t preparing for online hacks, even though they know they are coming. Vigilance is all on us.
How to prevent medical identity theft
Most people know to be on the lookout for identity theft, which can result in thieves charging purchases to stolen debit or credit card numbers, compromising bank accounts, and taking out unauthorized loans under your name.
But did you know that your name and health insurance information can also be a hot commodity for medical identity thieves?
When someone steals your medical identity, that person can use the information to visit a doctor, obtain prescriptions, and file insurance claims under your name. His or her medical history and claims then mix with yours, potentially exhausting insurance coverage and benefits so you can’t receive treatment or care when you need it.
However, you can take precautions to prevent medical identity theft.
Open all medical correspondence
Don’t automatically delete an email or toss a letter from your health insurance company or doctor’s office because you assume it’s a reminder of privacy policies or a nudge to sign up for the practice’s online portal.
When you don’t open all medical or insurance correspondence, you could unwittingly discard a statement for services you didn’t receive or an unfamiliar insurance claim, which would both be signs of possible medical identity theft.
Use strong passwords
Just like with credit card and bank account identity theft, a strong account password is key to keeping identity thieves out of medical and insurance records. The Federal Trade Commission (FTC) cautions against using your birthday, phone number or social security number in your password.
The FTC also recommends creating a password that is long, complex and unique and changing to a new password as soon as you suspect an identity breach.
Check Explanation of Benefits/Medicare Summary Notice
Medical insurance providers send out forms that outline what treatments they paid for in the last year. Discrepancies between your own records and these forms could be mistakes but may alert you to identity theft.
Red flags include a misspelled or wrong name, unfamiliar physician, charges for services you didn’t receive, an insurance denial based on incorrect medical history or a notice from your insurance company that you’ve exhausted your benefits.
Correct errors in medical records
If you find errors in your records, your next step is to send mail about the errors to both your doctors and your insurance provider. The Federal Trade Commission (FTC) has a succinct guide to correcting medical record errors on their medical identity theft page.
Pay attention to medical collection notices
If you get a collection notice for medical services you never received from a hospital or other health care provider, someone may have used your insurance information to receive treatment or a procedure. Immediately contact the creditor for more information or to dispute the bill.
Another place that past-due payments and collections from health care providers shows up is on your credit report. Review your credit report regularly, keeping an eye out for payment history notices for unfamiliar health care providers.
Protect your SSN and medical insurance info
Keep your personal information safe. Both your Social Security number and your insurance information can be used for medical identity theft.
The Federal Trade Commission (FTC) recommends asking why your social security number, health insurance ID, or other details about your health are needed before providing sensitive information on a website.
Ask for a replacement number if you lose your card
Instead of just asking for a new card, ask for a new number as well. Someone could be using your lost card, and things will get messy if you keep the same number.
Shred medical documents before disposal
Treat your medical documents no differently than your other confidential papers. If you’re throwing some documents out, also shred them beforehand.
Keep your own records
Your healthcare providers keep records of your visits and procedures. Do you? Start taking notes on your medical care. Then if something is wrong on your records in the future, you will have something to compare it to.
Beware of scammers
Did you know that “caller ID spoof” technology can make the caller look official by changing caller ID to your doctor’s office, pharmacy, or health insurance company? When that happens, a scammer can fool you into providing private medical, insurance, or financial information.
If a caller claims to work for a health care provider or insurance company, don’t simply provide the requested information in good faith. Instead, verify the caller’s identity by calling the provider’s mainline before answering questions pertaining to sensitive information.
Responding to medical identity theft
Hopefully, you never experience the nightmare that is medical ID theft. For those unlucky patients, here are five things you can do after you discover you’re a victim:
Contact your insurance provider
When you notice a sign of medical fraud, the first thing you should do is call your insurance provider. If the sign you noticed was actually a mistake by your provider, then calling them will help you find out.
Request copies of your records
Ask for records from the places where the medical fraud may have occurred. You will need all of the evidence you can get.
Get an accounting of disclosures
An “accounting of disclosures” tells you who received your medical records from your healthcare provider. You get one free accounting of disclosures per provider per year. This will show you the places that got your fraudulent records.
Report it on IdentityTheft.gov
Once you’ve confirmed that someone else is using your medical info, go to IdentityTheft.govto report it. This website, created by the FTC, will generate a recovery plan for you.
File a police report
Only 40% of medical fraud victims reported the identity theft to law enforcement. Even if you’re not sure it will help, file a report for your own safety.
Get professional help to clean up errors in your credit report due to identity theft.
Article last modified on November 29, 2023. Published by Debt.com, LLC