U.S. markets closed
  • S&P 500

    -28.32 (-0.68%)
  • Dow 30

    -256.33 (-0.75%)
  • Nasdaq

    -128.50 (-0.92%)
  • Russell 2000

    -43.79 (-1.96%)
  • Crude Oil

    -0.77 (-1.21%)
  • Gold

    +8.90 (+0.50%)
  • Silver

    +0.05 (+0.21%)

    -0.0003 (-0.02%)
  • 10-Yr Bond

    -0.0390 (-2.44%)

    -0.0043 (-0.31%)

    -0.0540 (-0.05%)

    +1,257.95 (+2.26%)
  • CMC Crypto 200

    +60.48 (+4.90%)
  • FTSE 100

    -140.21 (-2.00%)
  • Nikkei 225

    -584.99 (-1.97%)

How to fight medical identity theft

Karen Haywood Queen

If your credit card or bank account is hijacked, it can ding your credit score and be a hassle to correct while fraudsters run up bills in your name.

When your medical identity is stolen, the stakes rise. Not only is your credit on the line, but also your health, as identity thieves get services or drugs that become part of your medical history. So it is critical that you know the steps to combat the theft.

"Medical identity theft steals more than your money and your personal identifiers," says Jim Quiggle, director of communications for the Coalition Against Insurance Fraud in Washington. "The crime can also steal your sense of well-being and impose a shock trauma that can last long after you've cleared up the theft itself."

Medical identity theft involves the misuse of your personal identification, often including health insurance, to obtain treatment, costly medical devices or prescription drugs. Thieves range from organized hacker networks to friends or family members who may use the victim's health insurance as well as their Social Security number and other identifying details. Victims often discover the theft after being dunned for unpaid medical bills, or receiving an insurance company's explanation of benefits form for care they did not receive. (Story continues below.)

From 2009 to 2015, more than 143 million U.S. patient records were compromised, according to data security company iSheriff, based in Redwood City, California. Massive breaches at insurers including Anthem and Premera Blue Cross have raised alarms as hackers target troves of health information. More data breaches happen in the health care industry than in any other sector, according to the Identity Theft Resource Center.

Other exposures may happen inadvertently when records are mistakenly shared or are exposed by the patient. The Medical Identity and Fraud Alliance estimates that 2.3 million adults were victims of medical ID theft in 2014, up 500,000 from 2013.

"The financial sector is light years ahead of the medical sector," says Pam Dixon, executive director of the World Privacy Forum. "When you have fraud on a bank or credit card account, you can delete erroneous information; you can dispute it; you can cancel the credit cards and get new ones. You cannot do this with medical identity theft."

Unlike with banking fraud, there is no $50 cap on your losses if reported quickly. In fact, health care privacy laws can make it difficult to correct your medical history while you pay expenses out of pocket. The average out-of-pocket cost to victims of medical identity theft was $13,500, according to a study released earlier this year by the Medical Identity and Fraud Alliance.

Victims reported being embarrassed because of health information made public -- either incorrect information or correct but sensitive details that previously had been private, says Ann Patterson, the medical fraud alliance's senior vice president and program director. Other victims reported losing jobs, missing out on promotions and raises, paying out of pocket for claims that insurance should have covered and even losing health insurance.

Worse than embarrassment are the legal woes that can result from medical ID theft, as thieves may use the victim's ID to obtain prescription narcotics for themselves. Drug rings use multiple victims' IDs to get narcotics to resell on the street, Patterson says.

Finally there's the lifelong worry of medical mishaps because someone else's health information is mingled in victims' files. "Your medicines and allergies may be incompatible with a thief's," Quiggle says.

One victim's tale
Anndorie Cromar, a medical lab supervisor in Salt Lake City, became a medical identity theft victim in 2006 after her mobile phone, checkbook and driver's license were stolen. She reported the theft, changed accounts at her bank and checked her credit report. "I did all the things you were supposed to do," she says. "Then, I kind of forgot about it."

The thief was a pregnant meth addict who used Cromar's identity when she gave birth prematurely in a hospital a few months later, Cromar says.

Because emergency departments are required by law to treat patients, some medical identity thieves show up at the hospital with only a false name and date of birth, and get treatment, Patterson says.

The identity thief slipped out of the hospital without her child. When her baby showed positive for drugs, the hospital and others began investigating.

"I got a call from Child Protective Services saying I was being investigated," says Cromar, who does have four children including twins born prematurely with serious health problems. "The caseworker said the baby I had had a week ago tested positive for meth. They said they had to take all my children into custody because I was a drug addict."

Child Protective Services eventually believed Cromar. But because Cromar was listed on the newborn's birth certificate as the legal parent, she still had to attend a court hearing where the agency was assuming custody of the infant. "At 6 a.m., I had a constable show up at my house serving me papers saying I had to go to a hearing about child custody," she recalls. "When I called the police, they said, 'What do you want us to do about it?'"

Cromar had to take a DNA test to prove she wasn't the mother of the baby. She continued to get reminders to take the infant to appointments. She spent hours on the phone with numerous medical billing offices getting charges removed. One medical office refused to remove a sonogram the other woman had obtained.

Some victims find out about the theft when a bill goes into collection, Patterson says. Fifty percent of victims surveyed said the issue still was not resolved and 10 percent said it took more than two years, she says.

Privacy laws can make it difficult to correct the record. Some medical providers will interpret HIPPA to protect the privacy of the medical identity thief and won't release your own file to you, Dixon says. "Some of the most common phone calls we get are from people who can't get their health care files -- the hospital won't release them because there was a fraud problem, or because of HIPPA," she says.

Big task ahead
Victims need to work on two levels," Quiggle says. "They need to restore their good name and their good medical records. They also need to restore their emotional health from the shock and trauma of having their health records ripped off."

Correcting the record is a daunting task, starting with tracking down all the places where your information could be stored. Your information could be at labs, MRI imaging firms or, a physical therapist, for example, Quiggle says.

"The first rule is don't panic," he says. "You're under fierce stress. Stay calm. Some people find keeping a journal is helpful. It's a way of venting your emotions in a healthy way but also organizing your thoughts to help devise a plan of action."

"Once you've been a victim and you know your medical records have been compromised, it's a smart thing to constantly revalidate the information," Patterson says. "Some victims do say they've been victimized multiple times. You end up having to stay on top of it forever."

See related: How to spot and prevent medical identity theft