You may know medical identity theft is on the rise, but do you know how you'd be affected if it happened to you? A medical identity thief steals personal information such as your name or medical card number to obtain medical care or prescriptions for themselves or to purchase pricey medical equipment to sell. For anyone it’s a hassle, but for a person managing a severe health issue, it can be life-threatening if you’re denied services due to corrupted medical records.
In many cases, medical identity theft occurs because of mistakes in a medical office or because a relative steals personal information. However, data breaches have reached an all-time high, and these are almost impossible to guard against. According to a new study by the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, criminal attacks now account for half of all data breaches in healthcare; the other half occurs because of internal errors like employee mistakes or stolen devices. Worse, nearly 90 percent of healthcare organizations in the study experienced a data breach in the last two years.
Data breaches of medical organizations and health insurance companies are on the rise for a few reasons. One, healthcare organizations are digitizing their records. Additionally, many don’t have good protective measures in place yet, setting themselves up as targets for cyber criminals. Criminals also understand the value of healthcare data on the black market.
A data breach doesn’t automatically mean you’re the victim of medical identity theft, but it’s problematic because you don’t know what happened to your information or if it will be used, says Eva Velasquez, President and CEO of Identity Theft Resource Center (ITRC), a non-profit organization providing education on identity theft and helping victims mitigate their cases. If you do become a victim, the consequences can range from medical to financial to criminal..
If your insurance company has been breached, it must notify you about which information has been compromised, Velasquez says. Part of the difficulty with protecting yourself against medical identity theft is there’s no way to lock down your medical records as you can with your financial records by alerting the credit reporting systems, she says. Because every data breach is different, and each instance of medical identity theft is unique, she recommends calling ITRC for free assistance and to learn best next steps. The ITRC website lists data breaches and has just released a new report on medical fraud findings.
What to do if you're a victim
Stolen medical information isn’t as noticeable as someone stealing your credit card and running up a bill. The best way to watch for theft is to keep an eye on your “Explanation of Benefit” (EOB) statements from your insurance carrier. If insurance covered the service in full and there’s no bill, the EOB may be your only clue, Velasquez says. If you don’t recognize the service listed, call your insurance company immediately. Also watch for these red flags, recommends the Federal Trade Commission:
- A bill for medical services you didn’t receive.
- Your health plan states benefit limits have been reached when you know they haven’t.
- Your insurance denies a claim for a health issue you don’t have.
- Credit report contains a medical collections notice for services you didn’t receive.
The problem with medical ID theft is it can pop up over and over because thieves simply move to new providers, so it’s important to stay alert. If you believe you’ve been targeted, Velasquez advises the following actions.
File a police report. Sometimes it’s possible to resolve an issue without a report, but more often a police report is necessary to prove you’ve been victimized. Send copies to your medical providers, insurer and credit bureaus.
Alert your health insurance carrier. They should disable your account and issue a new one, along with a new card. Also, always report a missing or lost health insurance card even if you’re not a victim of fraud.
Notify specific providers. If your information has been used at specific locations like a pharmacy or hospital, notify these providers of the theft.
Request copies of medical records to review. Your records can provide important clues to how the thief used your information. You may not need all your records, but, for example, if someone filled a prescription in your name, ask the doctor who wrote the prescription and the pharmacist who filled it for copies of those records. If you’re refused, appeal.
Velasquez also says if you ever receive an EOB for a service that seems like an absurd mistake (the ITRC once helped an elderly woman billed for a vasectomy performed in another state) or you assume a collections agency got the wrong number when they called you, you should always follow up to find out if your identity was stolen.
How to protect your information
Because medical identity theft is so problematic, it’s important to guard your medical information as closely as you guard your financial information. Here’s what experts recommend.
Store records in a safe place. Shred insurance statements, medical bills and prescription bottles’ labels as vigilantly as you shred your financial information.
Be careful sharing by phone. Unless you have initiated the conversation and know whom you’re talking to, avoid sharing medical or insurance information over the phone or via email.
Watch out for “free” services. Don’t give out your health plan identification number to someone who approaches you about services or products. Thieves may pose as an employee at a medical office, pharmacy or insurance company.
Guard sensitive health information. Velasquez says she was required to fill out a health questionnaire to receive a facial at a dermatologist’s office. Because she wasn’t a regular patient or receiving medical services, she refused to give her information.
Monitor your credit reports. Obtain a free credit report from each of the three major credit bureaus at AnnualCreditReport.com. Keep regular tabs by obtaining one of them every four months. Watch for delinquent bills and unusual activity, says Velasquez.