One in five Americans says that they’ve been a victim of identity theft or attempted identity theft in the past year, and most of us are familiar by now with the steps to take if your identity has been compromised. The process is a hassle, but it typically takes just a few days and involves minimal financial losses, according to the Bureau of Justice Statistics.
The consequences for one form of identity theft can be much more severe, though. Cases where thieves steal your Social Security number and health insurance info to fraudulently obtain medical services or treatment can be much more difficult to detect or resolve.
Medical ID theft is on the rise, partly because this information is worth far more on the black market than financial identities. That’s in part because banks and other financial firms have beefed up their cybersecurity significantly over the past few years, while hospitals and other health care businesses have been lagging in that area. “Retail and financial services will let you know in real-time if there’s an unusual charge on your credit card,” says Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance. “That doesn’t exist with health care transactions. So if someone checks into a hospital to get surgery, there’s no mechanism to alert you.” Criminals may be able to used stolen medical information for months before anyone notices.
The numbers on medical ID theft are staggering. Nearly 90 percent of health care organizations have experienced a data breach in the past two years, and half of them reported experiencing five or more breaches in the that period, according to the latest data from the Ponemon Institute.
That report found that the costs to the victim can be significantly higher than the cost of having financial information stolen, with an average of $13,500 paid to doctors or insurers for services obtained by criminals and to lawyers or identity theft protection services.
In addition to the financial toll, medical ID theft has other consequences as well. If someone steals your identity and receives medical treatment that gets added to your medical records, doctors may have incorrect information regarding your health history, blood type or allergies, which can lead to misdiagnosis or mistreatment. “This is a financial crime with violent crime consequences because it can affect your physical health,” says Eva Velazquez, president and CEO of the nonprofit Identity Theft Resource Center.
Criminals posing as you could also potentially access information in your medical records that you’d prefer to keep private. For example, hackers recently forced Olympian Simone Biles to go public with her ADD diagnosis and treatment, after they published her medical records online.
Thwarting medical ID thieves entirely is difficult, but it is possible to minimize your risk by taking these steps:
1. Talk to your medical providers about their cybersecurity. You’ll want medical providers who use encryption technology and will only communicate with you electronically via their own secure portal rather than by email. While the portals can be a hassle to log into every time you want to ping your doctor, they’re far more secure than sending messages by email. “If you have a medical care provider that’s paying attention to data security, they’re probably also doing a better job with the other details of health care and record keeping,” says attorney Steve Weisman, author of Identity Theft Alert.
2. Decline to give your health care provider your Social Security number. In most cases they don’t actually need it. The exception, of course, is for Medicare patients whose Social Security number doubles as an insurance ID number.
3. Request your medical records every year. Just as you should check your credit report every year, you should also be requesting your medical records. This may involve calls to multiple doctors, but having copies of your records will let you scan for inaccuracies, and provide proof of what your medical profile looked like before any alterations were made. “Once your digital file gets corrupted, trying to go through and prove what the old file used to look like is one of the hardest parts for victims to deal with,” says Pam Dixon, executive director of the World Privacy Forum.
4. Be wary of apps. Health care apps are ubiquitous these days, but their security typically falls short of the levels you’d want in protecting sensitive medical information. Standard mobile security rules apply: Don’t store your login info in the app, password-protect your phone, and don’t use public Wi-Fi.
5. Treat your insurance card like a credit card. Keep it in a safe place and don’t leave it lying around if there are strangers in your home or friends or family members who you don’t entirely trust. Half of medical ID theft victims knew the person who used their data, and a quarter of them knowingly gave the info to that person. If you lose your insurance card, report it to your insurer immediately and ask for a new number along with your new card.
6. Review your “explanation of benefits” forms. It can be tempting to ignore these statements, since they often don’t require any action on your part. However, a discrepancy in your EOB may be your first signal that someone has been requesting medical care in your name. If you find an issue, call your doctor immediately to make sure it wasn’t simply an error on their end.
7. Report suspicious activity. If you think you’ve been the victim of medical ID theft, report it to your local police department as well as the Federal Trade Commission. You’ll also need to call your insurer’s fraud hotline, which will help walk you through next steps. While health insurance companies can help you clear up disputes, most don’t offer fraud monitoring to ID theft victims like many financial service firms do. That means it will be up to you to continue monitoring your explanation of benefits and any other bills from health care providers for unfamiliar charges.