Medical care is more expensive than ever, and most consumers are painfully aware that even minor medical situations can result in massive bills. The catch is that criminals get sick too, and they’re increasingly relying on a classic tactic to avoid having to pay for treatment: identity theft.
Medical identity theft specifically targets medical information—especially insurance information—instead of financial data. “Health care data is now much more valuable on the dark web than something like a credit card number,” says Adam Kennedy, senior product manager at credit agency Experian, “so it’s become a primary target for hackers.”
Attackers have increasingly set their sights on medical data in response. Critical Insight, a cybersecurity company based in Washington, recently reported that healthcare data breaches rose by 32 percent from 2020 to 2021, with nearly 50 million individual records impacted. A typical “mega-breach” of a large insurer or hospital can net hackers millions of records in a single attack.
How does medical ID theft work?
While medical identity theft attack patterns vary, the most common is when a criminal uses a victim’s insurance information in order to receive treatment or fill a prescription. This can be as simple as picking up a bottle of painkillers or as complex as undergoing major surgery. Because of the glacial pace of insurance processing and the complexity of medical bills—who has ever truly read the entirety of an insurance statement?—it can be months before the victim finds out about the fraud.
The damage can be catastrophic, and it can wreak havoc on a victim’s life in many ways, says Kennedy. “If your health information is compromised and muddied with someone else’s diagnoses and treatments, it can result in you having your own conditions misdiagnosed or legitimate insurance claims denied,” he says. Of course, it can also have severe financial repercussions, too. “These bills can be turned into collections and can make your insurance premiums rise,” he adds. There can even be criminal consequences stemming from medical ID theft due to stringent laws around prescription drug abuse.
“Cleaning all of this up takes much more time and stress than it does for your everyday identity theft,” says Kennedy.
How do you protect your medical identity?
Much like every other aspect of modern life, it’s unfortunately on you, the consumer, to protect yourself from attack. Credit agencies and banks are highly proactive today about ensuring financial charges are legitimate by sending you automated text messages and emails whenever an account is accessed. While some insurers offer similar features, many do not, and few consumers check their insurance companies’ websites to review recent activity with any degree of regularity.
These online portals should be your first line of defense, says Kennedy, and it’s up to you to make a habit of regularly checking them the same way you would for your checking account or credit card statement. If an alerting system is available from a provider, set it to message you any time activity is recorded. While some third-party tools that provide identity theft monitoring services can also monitor medical insurance activity, you’ll need to read the fine print for them before signing up to see how they work and what they cover.
Meanwhile, it’s important to check online and paper statements from your insurance and your provider thoroughly and keep them as secure as you would tax records: shred them before discarding. “You want to look through statements for anything unusual,” says Kennedy, such as unknown doctors, activity in locations where you don’t live, prescriptions you don’t take, and treatments you didn’t receive. If you do find something fishy, immediately contact the provider and your insurance company.
Finally, be careful about what personal information you give out on the phone and online. Never share medical or insurance information unless you initiated the communication or service.
Smart Tip: Use a dark marker to block out your personal information, including your name and prescription number, from any medication packaging before discarding.
What should you do if your medical ID is compromised?
The first step is to contact your provider and insurance company and let them know your medical identity has been stolen. Next, report the theft to the Federal Trade Commission online at IdentityTheft.gov or by phone at 1-877-438-4338.
Recovering from a medical ID theft is a cumbersome and painful process that can cost, on average, about $13,000 and require 200 hours of time, says Kennedy. While you can go it alone on this, it’s best to use an identity theft restoration professional, he says, which will save time, money, and frustration.
“These services employ professionals who are specifically trained in dealing with identity theft,” says Kennedy. “And they deal directly with medical providers and collection agencies to help you straighten things out.” As with any type of identity theft, acting quickly to begin the repair process is paramount.