What is Medical Identity Theft

Medical identity theft involves the fraudulent use of a person’s health insurance information to receive reimbursement for health care services provided to an individual not covered by the policy. Both patients and providers may commit fraudulent medical claims, depending on circumstances. Other times, the information is stolen by employees or external hackers to profit from selling personal identifying information (PII).

BREAKING DOWN Medical Identity Theft

Medical identity theft uses insurance coverage information for one individual to obtain or pay for care for another individual. A ten-year study by Trend Micro found hackers who target healthcare information are 72% more likely to gain an individual's personal identifying information (PII) then they are in obtaining financial information. The same study found that security breaches of the Health Care sector account for one-quarter of all reported attempts.

Perpetrators of medical identity theft include hackers who use social engineering to obtain social security numbers and health insurance information from unsuspecting medical providers and patients. However, hackers are not alone in the threat to the loss of data. A healthcare provider is almost equally likely to lose private information through either the theft of laptops, flash drives, and backup copies or by the leaking of private data from an employee.

The loss of patient data from unauthorized access to an insurance company’s or healthcare provider’s database is like other types of identity theft, Motivations for employees who steal patients’ data include greed, revenge, and other agendas. 

Use of Stolen Medical Identities

Stolen health insurance information gets misused in two primary ways. 

  1. Consumers steal insurance information to cover benefits their insurance may not include, or because they have no insurance at all. For example, a drug dealer might use fraudulent insurance information to purchase prescription drugs.
  2. Providers also may file fraudulent claims on an individual’s insurance to obtain reimbursement for procedures they never performed. They may do this to offset the cost of treating uninsured or under-insured clients.

Victims of medical identity theft can suffer similar outcomes to victims of other types of identity theft. Damages include lowered credit ratings and denial of services. If thieves trigger thresholds for maximum benefits on a policy, policyholders may find themselves unable to get timely coverage for urgent treatments. The victim might see the yearly cost of their insurance increase, or denied coverage altogether if the fraudulent treatment included care for things like diabetes, osteoarthritis, or cancer.

When medical identity fraud causes erroneous medical records, the consequences could become even more significant. For example, if an identity thief obtains medical care that enters the wrong blood type into a patient’s medical records and the victim of stolen identity needs a blood transfusion, the results could endanger their life.

Avoiding Medical Identity Theft

The best protection against either external or internal theft is constant monitoring through the use of honeypots and other security practices. Portable storage devices should be carefully regulated, and a regular inventory of their use and location kept. Regulation of employee with access to patient data also needs monitoring with the granting of access based on the work responsibilities of the employee.

The Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996 requires health care facilities in the U.S. to follow strict guidelines to ensure they treat patient data including insurance information carefully. 

Providers who commit medical identity theft usually do so to obtain reimbursement from an insurance company or the government for services they did not provide. To detect and prevent this type of fraud, consumers should carefully review any explanations of the benefit payments they receive from their insurers. Contact your insurance provider immediately if you get a statement for a procedure you did not receive.

Medical identity thieves typically require a patient’s Social Security number as well as their medical insurance information. Therefore, consumers should guard this information carefully. Only provide your social security number or health insurance information when necessary and then, only release the information when its security is guaranteed.

Consumers should watch their credit reports for unpaid medical bills that enter collections. The Fair Credit Reporting Act requires each of the three credit reporting bureaus to supply consumers with a free credit report once per year. Federal law also entitles consumers to receive free credit reports if any company has taken adverse action against them. This includes denial of credit, insurance or employment as well as reports from collection agencies or judgments. Consumers must request reports within 60 days from the date of the adverse action. Also, consumers on welfare, unemployed individuals planning to look for a job within 60 days and victims of identity theft are also entitled to a free credit report from each of the reporting agencies.