When you think of identity theft, you probably picture your information (or better yet, somebody else’s) being stolen in a data hack and then misused for fraudulent purposes. That’s one common form identity theft takes, but there are some less obvious kinds of identity theft that can be equally serious.
One of those is medical identity theft, which steals some portion of your identity to defraud the health care system in one way or another. This isn’t just another source of potential financial hardship, but in a worst-case scenario could cost you your life.
What Is Medical Identity Theft?
Medical identity theft was first named and identified as a distinct form of health care fraud in 2006 by a working group from the World Privacy Forum, which has since continued to monitor the problem. It’s especially prevalent in the southeastern corner of the U.S., but it’s spreading elsewhere as well.
The details vary widely, but in broad terms medical identity theft attempts either to fraudulently obtain care or to extract money from the health care system through bogus claims. A few potential examples might include:
- A person who can’t afford insurance buys yours from a scammer.
- A person who’s uninsurable applies for, and gets, insurance using your information.
- A person who needs costly tests or treatments claims them under your coverage, using your ID.
- A person with a drug habit secures prescriptions from multiple doctors, giving each one a separate fake identity.
- Scammers file fake claims in your name with your insurer, or with Medicare or Medicaid, for services that have not been performed.
If you don’t recognize what’s happening, the eventual repercussions can be costly.
How Medical Identity Theft Happens
While some medical identity theft begins with a large-scale data breach (and health care providers in general are increasingly under attack from hackers), the root causes are often more mundane.
Phishing is one common approach scammers use. You might receive an email, text or phone call purporting to come from your insurer, from Medicare, or from a health care provider (for example), needing to “verify” your information. Scammers may offer “free” products or services, but they’ll need your Medicare number or insurance information — “just for their records.” Some especially brazen scammers might even approach you in a parking lot, offering an incentive or reward of some kind in exchange for the use of your Medicare number.
Medical identity theft can even start with something as simple and low tech as a thief stealing mail from your mailbox and finding statements from your insurer, health care provider or Medicare; or “dumpster diving” for empty pill bottles or prescription records in your trash.
The Financial Cost of Medical Identity Theft
Like with any form of identity theft, putting things right can be costly. It’s not hard to imagine how quickly things can add up when you consider the cost of even routine medical care. In 2019, the state of New York put the cost per incident at around $20,000. Over time you should be able to have many of those charges stricken or reversed, but in the interim it can put you in some financial difficulty.
The indirect impacts can be equally damaging. Scammers in general are keener to run up a tab than to pay it off, and all of those unpaid bills will be in your name. The impact on your credit rating can take a long time to correct, reducing your access to credit (and increasing its cost) at exactly the time when you need your credit to dig yourself out of the hole caused by the fraud.
Finally, there’s a significant societal cost. Medicare fraud alone accounts for roughly 1 out of every 10 dollars disbursed through the system, though some experts think the number could be significantly higher. That’s a huge burden on the system, a huge drain on everyone’s tax dollars, and — more importantly — it sharply reduces the funds available for legitimate purposes.
The Personal Risk of Medical Identity Theft
The financial cost of medical identity theft isn’t the only impact you need to be concerned about and may not be the most important. There’s also a degree of personal risk involved because medical identity theft can affect your own care.
Many people take life saving medications — insulin springs to mind — and are at high risk without them. Suppose you need to get a refill but can’t because a scammer has maxed out your coverage? How long would it take to get that sorted out, especially if you happened to be away from home at the time? Would your life be in danger? If your coverage was compromised, would you be able to get the level of care you need in an emergency? Would you have the resources to pay up front while you tackled the fraud?
Suppose someone’s using your identity to receive treatment. If you need care yourself, your provider will be working from someone else’s medical information. The potential for inappropriate measures to be taken, or incorrect medications to be prescribed, is significant and potentially life-threatening. If the potential financial cost of medical identity theft doesn’t keep you up at night, that might.
How To Know if You’re a Victim of Medical Identity Theft
For the most part, the signs of experiencing medical identity theft are broadly similar to those you’d see with any other kind of identity theft. You may find that your credit score begins to fluctuate for reasons you can’t explain or that you get surprise collection calls. Aside from those standard-issue “red flags,” you’ll also see some that are specific to medical identity theft because it’s, well…medical.
You may see bills or statements from care providers you don’t deal with or at least haven’t dealt with recently. You may also find statements from your insurance provider that list treatments, prescriptions or payments you don’t recognize. Those should always be treated as a serious red flag.
What To Do if You’re a Victim of Medical Identity Theft
One 2015 study found that only about 10% of victims impacted by medical identity theft ever reached a fully satisfactory resolution. That’s partly because HIPAA’s privacy requirements make it mandatory for you to be directly involved in every step of the resolution process and partly because — unlike with conventional identity theft — most people simply don’t know where to begin.
The FTC has a succinct list of steps to take immediately. One is to contact your insurer and request an explanation of benefits (EOB) statement, which you can check for errors or fraudulent charges. Another — rather more time consuming — is to contact each and every health care provider or facility where your identity was misused, request copies of your records (there will probably be a small fee), and get back to them about any fraudulent charges. Providers are potentially liable for fraudulent payments, so they’re just as keen to get on top of this as you are.
File a report with your local law enforcement agency if fraud has been committed. Also, and most importantly, report the incident at the FTC’s IdentityTheft.gov website. Aside from showing that you are taking the situation seriously, there’s a practical benefit. The site will walk you through creating a personalized recovery plan, outlining the specific steps you’ll need to take to extricate yourself from the scenario. This can be a big help if — like most people — you’re not already familiar with the unique difficulties of resolving medical identity theft.
Protecting Yourself From Medical Identity Theft
Protecting yourself against medical identity theft is much the same as guarding against other forms of fraud and identity theft: It takes a combination of vigilance, self-education, skepticism and plain old common sense. Requesting copies of your records from your medical and insurance providers, and reading them carefully, is a fundamental starting point. So is requesting a credit report periodically from each of the Big Three credit reporting bureaus (you’re entitled to a free one once a year from each of them).
Reading up on current scams at sites like the FTC’s identity theft page or the Better Business Bureau’s Scam Tracker (or blogs like this one) is a good way to stay informed about the latest tricks. Even better, stick to what you know: Reminding yourself of truisms like “If it sounds too good to be true, it probably is” and “There’s no such thing as a free lunch” can help keep you out of trouble.
Finally, Spokeo offers a fantastic resource to help keep you out of trouble. The identity protection you get as part of your Spokeo Protect subscription includes dark web monitoring, which can tell you if your medical account numbers have been offered up for sale in that murky corner of the internet. Think of it as an early warning system for identity theft.
It may not be possible to protect yourself completely from identity theft, but following those steps can help keep you more secure.
References:
- World Privacy Forum – The Geography of Medical Identity Theft
- Quest Diagnostics – Quest Diagnostics Statement on the AMCA Data Security Incident
- HIPAA Journal – Why Are Hackers Targeting the Healthcare Industry?
- Centers for Medicare and Medicaid Services – Protecting Yourself & Medicare From Fraud
- Department of Health and Human Services – Medical Identity Theft & Medicare Fraud
- New York State Senior Medicare Patrol (SMP) – Medical Identity Theft: Tips for Protecting Yourself and Medicare
- AARP – Medicare Under Assault From Fraudsters
- Ponemon Institute – Fifth Annual Study on Medical Identity Theft
- U.S. Federal Trade Commission – Medical Identity Theft: What To Know, What To Do
- Centers for Medicare & Medicaid Services – Victimized Provider Project
- U.S. Federal Trade Commission – What To Know About Identity Theft
- Better Business Bureau – BBB Scam Tracker