Medical Identity Theft: Harm Beyond Healthcare
IN A NUTSHELL:
- Medical identity theft has financial and health consequences
- Medical records are worth a lot of money on the dark web
- Patients and healthcare providers can become victims of medical identity theft
Medical identity theft occurs when someone uses a person’s Social Security number, health insurance number and other personally identifiable information (PII) to receive healthcare services, prescription drugs or surgery. Medical identity theft can also occur when healthcare workers use PII to submit false bills to insurance companies.
The issue is a concern for patients, health care providers, and health plans, according to the Federal Trade Commission.
It is a lesser known type of fraud, yet medical identity theft can have serious financial consequences and impact the victim’s health and wellbeing. Unfortunately, it is like dealing with traditional identity theft and a medical ailment simultaneously.
A third way medical identity theft can occur is when hackers steal information from health insurance companies, medical facilities, and individual medical providers. Relative to a financial account, a person’s medical record is worth a lot more money than their credit card information, according to Experian.
How to Prevent Medical Identity Theft:
The best way to prevent medical identity theft is to keep your personally identifiable information secure and to quickly correct mistakes in your medical records as you would with a credit report. Medical identity theft can be a headache financially and physically. Similar to healthcare, prevention is the best approach to avoid becoming a medical identity theft victim.
Important Steps to Take:
- Check your medical records like you would a credit report, at least once a year
- Check your credit report for unpaid/incorrect medical bills
- Never share PII or health insurance plan information with people outside of healthcare organizations
- Never share personal information with companies offering free services or products related to healthcare
- Continuously review notices from your health insurance company, physician, and pharmacy for strange activity
- Enroll in a Medical Identity Theft Protection service
- Request replacement cards and health insurance identification numbers if your information is ever lost or stolen
- Never share PII on the phone or via email unless you can verify the other person is legitimate
- Properly dispose of documents that have personal health information on them
- If you are contacted by a collection agency, know your rights and request written confirmation of the services
- Maintain copies of medical records as proof of correct information
- Utilize the same practices to avoid general identity theft such as strong passwords for medical accounts
How to Tell if You Are a Victim of Medical Identity Theft:
Similar to other forms of identity theft, it may be difficult to know your medical identity has been stolen until it is too late. There are several tell-tale signs people can be on the lookout for which may be an indication of medical identity theft:
- Patients are billed for medical services they didn’t receive
- Patients are contacted by a debt collector about medical debt they don’t owe
- Patients see obscure medical collection notices on their credit report
- Patients find incorrect office visits or treatments on their explanation of benefits (EOB)
- Patients are told by their health insurance plan that they’ve reached their limit on benefits
- Patients are denied insurance because their medical records show a condition they do not have
Important Information for Healthcare Providers:
If a patient believes they are a victim of medical identity theft, there are several important steps to take. To begin with, review the patient’s medical record for inconsistencies. If it appears that medical identity theft occurred, notify everyone who accessed the patient’s medical or billing records and have the incorrect information changed.
Healthcare providers must understand their obligations under the Fair Credit Reporting Act (FCRA). In the event that a patient supplies a healthcare provider with an identity theft report, the Act states that any debt associated with the theft may not be reported to any of the credit reporting companies.
Anytime a possible medical identity theft involves an individual healthcare provider, their facility, or a network, it is a good idea to review security policies and HIPAA Privacy and Security Rules. If a HIPAA Compliance Breach on the behalf of a healthcare facility resulted in a patient’s medical identity being stolen, the fines could be monstrous.
Healthcare is not the only industry subjected to massive data breaches. In August of 2021, out of the 160 data breaches reported, cell phone service provider topped the list. The T-Mobile data breach affected more than 50 million people and compromised Social Security numbers, driver’s licenses, phone numbers, and International Mobile Equipment Identities. All of these could be used to steal a person’s identity in some form or another. It is the second T-Mobile breach in 2021 and the third since December 2020.
Not too far behind T-Mobile is St. Joseph’s/Candler Health System, who suffered a ransomware attack that impacted 1.4 million patients and employees. The incident compromised personal medical information, financial information, and health insurance information–once again highlighting the importance of healthcare data security.