Medical Identity Theft

What Is Medical Identity Theft?

Medical identity theft involves the fraudulent use of a person’s health insurance information to receive reimbursement for healthcare services provided to an individual not covered by the policy. Both patients and providers may commit fraudulent medical claims, depending on circumstances. Other times, the information is stolen by employees or external hackers to profit from selling personal identifying information (PII).

Key Takeaways

  • Medical identity theft is the fraudulent use of a person's health insurance information in order to receive reimbursement for healthcare services.
  • It is possible that both patients and providers may commit fraudulent medical claims but information can also be stolen by employees or external hackers.
  • When an insurance provider commits identity theft it is to obtain reimbursement for procedures that were never performed on the insured individual.
  • Medical identity results in similar outcomes to other types of identity theft. Damages include lowered credit ratings, denial of services, increased costs of coverage, and denial of coverage.
  • Monitoring your credit reports, bills sent by insurance companies, and guarding your private information can help guard against or make you aware of medical identity theft.

Understanding Medical Identity Theft

Medical identity theft uses insurance coverage information for one individual to obtain or pay for care for another individual. In fact, medical organizations accounted for 30% of all observed enterprise attacks between 2006 and 2016.

Perpetrators of medical identity theft include hackers who use social engineering to obtain social security numbers and health insurance information from unsuspecting medical providers and patients. However, hackers are not the only threat to the loss of data.

A healthcare provider is almost equally likely to lose private information through either the theft of laptops, flash drives, and backup copies, or by the leaking of private data from an employee.

The loss of patient data from unauthorized access to an insurance company’s or healthcare provider’s database is like other types of identity theft. Motivations for employees who steal patients’ data include greed, revenge, and other agendas. 

Use of Stolen Medical Identities

Stolen health insurance information gets misused in two primary ways. 

  1. Consumers steal insurance information to cover benefits their insurance may not include, or because they have no insurance at all. For example, a drug trafficker might use fraudulent insurance information to purchase prescription drugs.
  2. Providers also may file fraudulent claims on an individual’s insurance to obtain reimbursement for procedures they never performed. They may do this to offset the cost of treating uninsured or under-insured clients.

Victims of medical identity theft can suffer similar outcomes to victims of other types of identity theft. Damages include lowered credit ratings and denial of services. If thieves trigger thresholds for maximum benefits on a policy, policyholders may find themselves unable to get timely coverage for urgent treatments. They might see the yearly cost of their insurance increase, or denied coverage altogether if the fraudulent treatment included care for things like diabetes, osteoarthritis, or cancer.

When medical identity fraud causes erroneous medical records, the consequences could become even more significant. For example, if an identity thief obtains medical care that enters the wrong blood type into a patient’s medical records and the victim of stolen identity needs a blood transfusion, the results could endanger their life.

Avoiding Medical Identity Theft

The best protection against either external or internal theft is constant monitoring through the use of honeypots and other security practices. Portable storage devices should be carefully regulated, and a regular inventory of their use and location kept. Regulation of employees with access to patient data also needs monitoring with the granting of access based on the work responsibilities of the employee.

The Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996 requires health care facilities in the U.S. to follow strict guidelines to ensure they treat patient data, including insurance information, carefully. 

Providers who commit medical identity theft usually do so to obtain reimbursement from an insurance company or the government for services they did not provide. To detect and prevent this type of fraud, consumers should carefully review any explanations of the benefit payments they receive from their insurers. Contact your insurance provider immediately if you get a statement for a procedure you did not receive.

Medical identity thieves typically require a patient’s Social Security number as well as their medical insurance information. Therefore, consumers should guard this information carefully. Only provide your social security number or health insurance information when necessary and then, only release the information when its security is guaranteed.

Credit Reports

Consumers should watch their credit reports for unpaid medical bills that enter collections. The Fair Credit Reporting Act requires each of the three credit reporting bureaus to supply consumers with a free credit report once per year.

Federal law also entitles consumers to receive free credit reports if any company has taken adverse action against them. This includes denial of credit, insurance, or employment as well as reports from collection agencies or judgments. Consumers must request reports within 60 days from the date of the adverse action.

Also, consumers whose main income is from Temporary Assistance for Needy Families (TANF) benefits, unemployed individuals planning to look for a job within 60 days, and victims of identity theft are also entitled to a free credit report from each of the reporting agencies.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Trend Micro. "Why Is Health Care Being Targeted by Attackers?" Accessed Feb. 18, 2021.

  2. U.S. Congress. "H.R.3101 - Health Insurance Portability and Accounting Act of 1996." Accessed Feb. 18, 2021.

  3. Federal Trade Commission (FTC). "Fair Credit Reporting Act." Accessed Feb. 18, 2021.

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.