How Does Someone Steal Your Medical Identity?
Identity theft is one of the fastest-growing crimes in America. But scammers aren’t just after your credit card numbers and passwords — they also want your medical insurance information.
Medical identity theft occurs when scammers gain access to your health insurance data and use it to obtain medical procedures, submit fraudulent insurance claims, or request prescription drugs illegally.
Your personal health information (PHI) is more valuable on the black market than credit card numbers and Social Security numbers (SSNs) — fetching anywhere from $10 to $1,000 [*].
That’s what happened to one California man, whose stolen identity was used to obtain tens of thousands of dollars in medical treatments at hospitals across the United States. The victim spent years fighting hospital billing departments over the fraudulent charges [*].
In this guide, we’ll explain how you can help prevent medical identity theft and what to do if you think someone has accessed or compromised your PHI.
How To Prevent Medical Identity Theft
- Know the warning signs of medical identity theft
- Review your Explanations of Benefits (EOB) and bills
- Safeguard your health insurance card and Medicare cards
- Collect your mail as soon as possible
- Secure your online accounts with strong passwords and 2FA
- Ask questions before sharing your personal health information
- Learn to spot the signs of a phishing scam
- Monitor your credit reports for unpaid medical bills
- Maintain records of your legitimate medical care
- Protect any documents that contain your medical information
More than 50 million Americans have been impacted by healthcare data breaches in the first half of 2023 alone [* *]. Follow these tips to help protect your health data and prevent medical identity theft:
1. Know the warning signs of medical identity theft
Medical identity theft is often considered a silent crime. You might not realize that your medical identity has been stolen until you start receiving unfamiliar medical bills or improper medical care.
To keep your health care information safe, it’s important to spot the early warning signs of medical identity theft and address it before an identity thief causes too much damage.
Here are some of the most common warning signs of medical identity theft:
- You get an unexpected medical bill. If you received a bill for a medical treatment you didn’t receive, contact your doctor’s billing department and request more information.
- Your healthcare provider notified you of a data breach. If your health insurance company was hacked, it’s possible that scammers gained access to your medical information.
- A debt collector contacted you about medical debts. If a debt collector notifies you about unpaid medical debts, but you don’t owe any money for past care, a hacker might have stolen your information and used it to get medical services.
- Your doctor has the wrong information on file. If a scammer has stolen your medical identity, your doctor might have incorrect personal information on file for you — like the wrong prescriptions, wrong surgical history, or wrong address.
- Your insurance provider claims you’ve reached your benefit limit. If your insurance coverage and benefits are maxed out — but you didn’t use them — someone may have stolen your identity.
The bottom line: Any unfamiliar medical bills, debts, or treatment notices are clear warning signs that someone is using your medical identity, and you need to act quickly. Aura monitors your health insurance ID numbers, credit file, and more, and can warn you in near real-time of fraudulent activity. Try Aura free for 14 days and protect yourself and your family from scammers.
2. Review your Explanations of Benefits (EOB) and bills
If you have health insurance, whenever you receive medical treatment your insurance company sends an Explanation of Benefits (EOB) and a separate bill to your mailing address.
The EOB contains a breakdown of the services you received, how much is covered by insurance, and how much you owe. The bill reflects the final amount that you’re required to pay.
You might look at the EOB and assume it’s another piece of junk mail, but you should always review every page of these documents closely. Verify that all services on the EOB are accurate. If you don’t recognize one of the services on your EOB or bill, contact your healthcare provider immediately.
What to look for when reviewing your EOB:
- Are the medical services you received accurately described? Even if a mistake isn’t due to medical identity theft, it can cost you money or benefits.
- Are the date, time, and location of the treatment correct? Any treatments in states or cities you don’t visit regularly (or ever) are causes for concern.
- Were you only charged once for the service? Unscrupulous doctors or medical office scammers may charge you multiple times for a single service. This is a form of Medicare fraud.
3. Safeguard your health insurance card and Medicare cards
You may not use your health insurance ID card often, but you should still protect it the way you would safeguard your credit cards or driver’s license. If you lose your health insurance card or Medicare card, someone could find it and get access to your plan information — opening the door to medical identity theft.
In case of an emergency, you should always have your health insurance ID card details nearby. But instead of relying on a physical card, you might be able to access a digital ID card through your smartphone. This eliminates the need to carry a card in your wallet. Just make sure to use your phone’s security features — such as biometric logins — to protect your digital card in the event that your phone gets stolen.
What to do if your health insurance card is lost or stolen:
- For commercial insurance: Contact your health insurance company right away. They can give you a new number and a replacement card.
- For Medicaid: Contact your state’s Medicaid agency to get a replacement card [*].
- For Medicare: Request a new card through your mySocial Security account, or by calling 1-800-772-1213. Your local Social Security office can also issue a new card [*].
4. Collect your mail as soon as possible
Leaving mail sitting in your mailbox could leave you susceptible to medical identity theft, especially if you’ve recently received health care. Sneaky thieves could sort through your mail and steal letters that look like they might contain personal information, such as a bill from your medical provider.
As a best practice, you should always collect your mail as soon as you can, particularly if you’re expecting an EOB or bill from your doctor. If you’re going to be on vacation or away from home for a few days, ask a trusted friend or neighbor to collect your mail and hold onto it until you return.
💡 Related: Someone Stole My Mail! What Should I Do? →
5. Secure your online accounts with strong passwords and 2FA
Data breaches and cyber attacks are among the most common ways that hackers gain access to your health insurance information. For example, in July 2023, HCA Healthcare disclosed that the health information of 11 million patients was leaked in a recent data breach [*].
While you can’t control the digital security of services that store your medical and personal information, you can take steps to secure your own online accounts against hackers.
How to secure your online accounts against hackers:
- Use strong and unique passwords for every account. A longer password is much harder to crack. Opt for at least 10 characters, including upper and lowercase letters, numbers, and symbols. Make sure you never repeat passwords on multiple accounts so as to limit the damage scammers can do if one of your passwords is compromised.
- Enable two-factor authentication (2FA) whenever possible. 2FA is a secondary security measure that requires a second form of verification to log in to your accounts (such as a one-time-use code sent to your phone, or biometrics like your fingerprint).
- Store your sensitive passwords in a password manager. Instead of trying to remember every long and complex password, store them all in a secure password manager. This way, you’ll only need a single master password to access each account.
6. Ask questions before sharing your personal health information
If you’re seeing a new doctor or specialist, you might need to let them know about your past medical history, surgeries, drug and alcohol use, prescriptions you’re taking, and similar information that could inform treatment. But if you’re unsure why the doctor needs certain information, always ask whether you’re required to provide it.
When you give personal health information to your doctor, it gets stored in your electronic medical record (EMR). If the office’s network gets hacked, an identity thief could gain access to your EMR and use your information to commit medical fraud. If you can omit some of your personal health details, it could keep you safer in the long run.
Questions to ask before sharing personal health details:
- Why is this information important for the doctor to have?
- Who has access to my EMR?
- How are EMRs stored? What security measures are used?
- Do you have to include my SSN or insurance plan information in my EMR?
7. Learn to spot the signs of a phishing scam
Another common way that scammers get your health insurance number is through phishing scams. You might get an unsolicited email, text message, or phone call from someone asking you to provide your insurance information.
If you find yourself in this situation, never reveal your information. If the request is from a legitimate person, you should be allowed to verify the information in another way (like going to the doctor’s office in person if the person contacting you is from the billing department).
How to spot the signs of a phishing scam:
- You’re contacted out of the blue by someone (or a company) you don’t know. Any unexpected contact is suspicious. Always verify who is reaching out by hanging up and contacting the agency or company directly.
- They ask for sensitive information, like your SSN or health plan number. You shouldn’t have to give out this information over the phone. Treat any request for sensitive information as a warning sign.
- The person or company creates a sense of urgency to prompt you to respond or disclose your information. Fraudsters may threaten you with fees, fines, or even jail time to try and get you to give them what they want. In other cases, they could promise you something that’s too good to be true, such as offering to pay your medical bills.
8. Monitor your credit reports for unpaid medical bills
One of the biggest dangers of identity theft is a damaged credit score. If scammers use your personal information to rack up medical debt, this can have a major impact on your credit score.
To protect yourself against medical ID theft, it’s a good practice to monitor your credit report for unpaid medical bills. If you notice an outstanding bill that’s unfamiliar, or if it’s from a medical facility or provider that you don’t recognize, it’s possible that you’re getting scammed.
How to monitor your credit report:
- Request a free credit report through annualcreditreport.com. Until the end of 2023, you can get a free copy of your credit report every week from each of the three main credit bureaus – Experian, Equifax, and TransUnion. Review these reports carefully for unfamiliar medical debts.
- Alternatively, sign up for a credit monitoring service. Aura monitors your credit report around the clock at all three bureaus. If anything suspicious is found, Aura sends the industry’s fastest fraud alerts 3 and provides 24/7 support to help you deal with fraudsters.
9. Maintain records of your legitimate medical care
Keep a detailed log of all the medical care that you receive so you can prove your medical history in the event that your identity is stolen.
Once a year, request a copy of your most recent medical records from your health care providers. You can typically request these documents for free [*]. Some of the documents you might request include hospital discharge notes, surgeries, and major test results. You can also ask your pharmacy to provide a list of the medications that you were prescribed during the year.
10. Protect any documents that contain your medical information
If your medical information ends up in the wrong hands, this could have major ramifications for you. Make sure you protect (or shred) any documents that contain your medical information.
For example, if you receive an EOB or bill in the mail, shredding the document before recycling it will ensure that your plan number can’t be recovered. Also, don’t toss out prescription bottles as soon as they’re empty. Instead, use a marker to black out your name, the doctor’s name, and the prescription name before the bottle goes in the trash [*].
Are You the Victim of Medical Identity Theft? Here’s What To Do
If you realize that your medical information has been stolen, it’s important to act quickly. Medical identity theft is identity theft, and it can lead to dire consequences. You need to stop the scammers, correct your records, and take the necessary steps to avoid further damage.
Here are some things you should do if your medical identity has been stolen:
- File an official identity theft report with the Federal Trade Commission (FTC). Report the medical identity theft to the FTC through identitytheft.gov. Once you submit the report, you’ll get a personalized recovery plan along with assistance to help you put the plan into action.
- File a police report. The FTC recommends filing a police report if your medical identity has been stolen. While local law enforcement won’t necessarily investigate your case, it can be helpful to include a police report in your FTC report as well as when contacting your insurance provider [*].
- Review your medical records to identify all instances of fraud. Request a copy of your medical records to find out what type of fraud occurred and when it took place. Note the instances of fraud (like appointments you didn’t attend, or medications you didn’t request), which will help you prove the fraud to your insurance company.
- Report errors to your healthcare provider via mail. Once you’ve identified the instances of fraud, submit a letter via mail to your insurance provider or doctor’s office. Provide a copy of your medical records including errors noted, your old medical records (if you have them), an explanation of the situation, and a copy of the FTC identity theft report.
- Contact the OIG’s fraud hotline. If you suspect Medicare fraud, you can contact the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) either online or by calling 1-800-447-8477 (1-800-HHS-TIPS).
- Check your credit reports for medical debts, and dispute them. Fraudulent medical debts will need to be removed from your credit reports. Contact each of the three bureaus and send each one a credit dispute letter clearly outlining the issue.
- Freeze your credit with all three bureaus to prevent further fraud. To avoid further credit damage, consider freezing your credit with the three credit bureaus (Experian, Equifax, and TransUnion). Freezing your credit is free, and it won’t impact your credit score.
- Secure your personal information. Limit the information that scammers can find out about you by removing your contact information from social media platforms and other online sources.
- Consider signing up for identity theft protection. Using identity theft protection can keep your personal information safe. With Aura, you’ll get notified in near real-time if your accounts or SSN are leaked in a data breach or detected on the Dark Web. You can also get 24/7 identity recovery assistance if you become a victim of identity theft.
The Bottom Line: Medical Identity Theft Can Have Life or Death Consequences
There’s no denying that sophisticated hackers and fraudsters are after your health care information — either to sell for profit on the Dark Web or use to get illegal prescriptions and medical care. Once your health care records have been misused or altered, you could be misdiagnosed, receive the wrong medication, or lose access to treatments and medicine that you need.
One of the most effective ways to keep your sensitive information safe from scammers is to sign up for Aura’s all-in-one cybersecurity solution. Aura offers award-winning identity theft protection that will safeguard your personal details online — including up to three health insurance IDs.
And if the worst should happen, every adult member on your Aura plan is protected by up to $1 million in insurance coverage for eligible losses due to identity theft.