ID Theft: Medical Identity Theft

What is medical identity theft?

Medical identity theft is a serious problem.  Medical identity theft made up only .7% of all reported identity theft in 2012, but the results of medical identity theft are very dangerous.  When a patient’s identity is stolen, they can be charged for services they have not received, subjected to calls from debt collection agencies, refused medical services they need or deserve, and/or arrested for illegal activity they did not commit.  Misinformation in a patient’s records can often affect his life insurance premiums and job applications.  Oftentimes, patients pay the bill because they do not know how to correct the information or to avoid the long process of making the corrections.

Types of Medical Identity Theft:

  • Financial:  Financial medical identity theft occurs when someone is getting medical help using your name and/or insurance information.  In these situations, a doctor bills you or your insurance company for services provided to another person. 
  • Criminal:  Criminal medical identity theft occurs when you are held responsible for another’s criminal behavior.  For example, this could occur if a person who has used illicit substances checks into a hospital using your information.  In these situations, the hospital may report to the police that they suspect you have engaged in illegal activity.  This may result in your arrest, among other consequences. 
  • Government benefit fraud:  Government benefit fraud occurs when your government-provided medical benefits are used by another person.  You may find out about this fraud because you are informed you have used benefits that you have not in fact used. 

Warning Signs

You may be a victim of medical identity theft if:

  • You receive a bill for medical services that haven’t been received
  • You receive a call from debt collectors about a medical debt you do not owe
  • There are medical collection notices on your credit report that you don’t recognize
  • You receive a notice from your health plan saying you reached your benefit limit
  • You are denied insurance coverage because your medical records show a condition you do not have
  • Your medical provider’s records have been compromised.  The U.S. Department of Health and Human Services publishes a list of providers whose records have been exposed more than 500 patients to identity fraud.  Consumers can look at this webpage to determine if they may be a victim. 

What to do if it happens to you

Correcting Medical Identity Fraud:

(1)    Get copies of your medical records.  You have the right to know what is in these records.  Understand you may be charged to obtain the copies.  If the provider does not provide these records within 30 days of a written request, you can complain to the U.S. Department of Health and Human Services Office for Civil Rights.

(2)    Obtain copies of the “accounting of disclosures” from each of your health care providers and your health plans.  These records keep track of the medical information the provider has sent about you.  They also record the person to whom the information was sent, on what date, and why. 

(3)    Check for errors and contact the health care providers, pharmacies, or laboratories where those errors have been recorded.  Send these providers written notice of any errors.  Send them copies of the documents with the erroneous entries circled.  Explain why these entries are incorrect and explain how you would like them to be corrected.  Send your communication by certified mail return receipt requested so that there is a record of what the provider has received.  Keep copies of all records and documents received and sent.  The health plan or medical provider is required to change mistakes in its records.  It should correct any errors within 30 days.  It should also correct any prior communication concerning these mistakes, such as its communication with labs or other health care providers. 

(4)    Obtain a police report and/or an Identity Theft Report from the FTC.  Send this report to your health insurer and all three credit reporting companies.

(5)    If the provider agrees that this is an instance of fraud or identity theft, get this determination in writing.  Keep the document forever.

(6)    Order copies of your credit reports.

(7)    Consider placing a fraud alert or security freeze on credit files.

Correcting Criminal Medical Identity Theft:

(1)    Find out what you have been charged with and the medical treatment that was allegedly provided.

(2)    Provide law enforcement with proof that you are not the individual who committed the illegal activity and who received treatment. 

(3)    Make sure all incorrect arrest warrants that list your name are changed to John Doe or Jane Doe.  Make sure this is done at both the federal and state level if necessary. 

(4)    Get a written document that states you were cleared of all charges. Keep it forever.  Maintain a copy in your car, at work, at home, and with a close friend or relative in case you are later arrested.

Correcting Government Benefit Medical Identity Theft:

  • Contact the agency administering the benefits to ask what steps to take. 
  • Provide proof that you were not the one receiving treatment, if you have any.  This can include proof you live far away from where the services were provided.  It can also include proof that you did not undergo the procedure in your records because you don’t have a scar or other marking.

Prevention Tips

Protecting yourself from medical identity theft:

  • Medical information is valuable to thieves who may pretend to be in the healthcare industry in order to trick you into revealing sensitive healthcare information.
  • Be suspicious if someone offers “free” health services but requires a health ID number.
  • Do not share medical information over the phone or by email unless you initiated contact and know with whom you are communicating.
  • Keep medical records in a safe place.  Before you discard health care papers, shred all documents which contain personal information. Remove labels from prescription bottles before discarding - they list your name, your pharmacy, the type of drug you are using, your doctor's name and other personal information.
  • When sharing personal healthcare information online, look for a lock icon (picture) on the browser’s status bar.  The URL should begin “https://”.  The “s” stands for secure.   Read the privacy policy, if any, on the website, to determine how or if the organization shares your personal information with third parties.  If the information is very sensitive, such as your social security number or insurance account numbers, you may want to personally contact the organization requesting such information in order to find out why the information is needed and, again, how it will be kept safe.  

The Ponemon Group conducts a study of medical identity theft victims annually.  It conducted a 2012 study of 757 victims of identity theft.  In this study, it made the following statistical determinations and conclusions:

  • Medical identity theft has been estimated to affect .68% of the total U.S. population, which is about 1.85 million Americans.
  • The average cost of medical identity theft is approximately $22,346.  Assuming an estimated 1.85 million Americans are affected, the estimated annual cost of medical identity theft is $41.3 billion nationwide. 
  • When a thief steals medical information, it is most often used to obtain healthcare services, prescriptions, or medical equipment.  This is consistent with a 2010 finding by the same institute.
  • The identity thief is more likely to be a family member than anyone else.  In 2012, 35% of victims said a family member took their information without their knowledge.  This number was 36% in 2011 and 33% in 2010. 
  • The next most likely cause of medical identity theft is fraudulent billing by a healthcare provider.  Fraudulent billing impacted 22% of the victims in the 2012 study. 
  • Participants were asked to identify up to two financial consequences of medical identity theft.  The most often reported consequence was the out-of-pocket payments to the health plan or insurer to restore coverage.  The study indicated that 47% of the victims had to pay the health plan or insurer.  However, 27% said there was no financial consequence.  21% reported lost time and productivity in trying to fix inaccuracies on credit reports and another 21% indicated a consequence of a diminished credit score.

Provider identity theft

Providers of Medicare and Medicaid are also at risk for medical identity theft.  This occurs when a fraudster obtains a medical provider’s identification information.  The fraudster may make it appear as if a provider rendered medical services that were not actually performed.  Or, the fraudster makes it appear as if the provider ordered additional health services, such as home health care or durable medical equipment, when that provider did not order such equipment.  Patients and the provider are both impacted by this type of identity theft.  The patient may be unable to obtain future medical care.  The provider may have letters from the IRS indicating income has been received but not reported, may have overpayment demand letters, and may encounter credit and reputation issues.

What to do

When the theft involves Medicaid or Medicare, providers can report it to their point of contact.  The Center for Medicaid and Medicare Services provides one point of contact for each state. 

When the theft does not involve Medicare or Medicaid, it should be reported to local law enforcement, the Federal Trade Commission and the U.S. Department of Health and Human Services.