What to do if Your Medical Information is Breached

Medical identity theft is likely more frequent and complicated than you may realize

Medical data breaches are on the rise, and with them, medical identity theft and fraud. In fact, healthcare data breaches hit an all-time high in 2021, impacting 45 million people. Data from the Federal Trade Commission (FTC) showsmedical identity theft has increased 6x over the past 5 years.

If you suspect medical identity theft

If you suspect medical identity theft, there is no "one size fits all" advice for recovering your identity, except to proceed carefully. If you tell a medical provider that someone else's information is in your medical record, they will be bound by medical privacy law to keep that person's medical information confidential, even if that patient is an identity thief. In this section, we'll explain some ways to get the information you need without losing access to your own records.

Step 1 - Gather information to better understand the charges

Medical identity theft most typically revolves around a debt or insurance claim for medical services. If there is a debt involved, contact the medical provider’s billing department and probe for information. If you receive mail or messages from a debt collector, contact them to determine which medical provider they are collecting payment for.

Note: This is where it gets tricky. If you state that the questions are fraud or identity theft-related then the agent has a responsibility to protect the other patient's privacy. So don't mention theft or fraud at this point. Instead, calmly say you're having trouble remembering about the treatment or that you're concerned the information is incorrect and you're being billed improperly.

Questions to ask medical providers:

• At what facility or location were the services provided?

• What doctor provided the medical services?

• What medical condition were the services for? (There will be a medical code in their billing records.)

• What are the dates of service?

• Were any lab tests submitted by another medical provider that you use?

• Does the organization go by any other name for purposes of billing?

Questions to ask debt collectors:

• Which medical provider they are collecting payment for?

• How long has the claim been in collection?

• Can they provide any additional information about the claim?

Step 2 - Determine if the charges are valid, a mistake, or fraud

This conversation with the medical provider's office should accomplish one of three things:

1. You determine that this is a valid medical debt. If it's a debt that should have been paid by your insurer, work with your insurer and provider to get the bill paid and, if necessary, taken out of collections and off your credit report. Disputes can be filed with the Better Business Bureau (BBB), your state's Insurance Commissioner and/or Attorney General. If collections are involved, complaints can be filed with the Consumer Financial Protection Bureau (CFPB) and credit bureaus. If the bill was sent to the wrong address or was not sent to you, you can dispute interest or late penalties, if necessary through the BBB, your state's Attorney General, or other agencies, depending on your state. If it's a valid medical bill that you just overlooked, pay it and make sure the provider notifies collections and the credit bureaus that it's paid.

2. The provider's office realizes they have made a mistake such as applying this debt to the wrong customer in their system. Again, if necessary, remind them that they have to notify collections and credit bureaus that this was an error on their part.

3. You determine it is fraud. Once you’re certain the charges are fraudulent, it’s time to take action to defend yourself. Remember, if there were referrals or labs ordered from another medical provider you need to call and probe for information there as well. Once you've gathered enough information to be sure there is fraud, then you can notify the provider, your insurance, and authorities.

Step 2 - Defend against medical identity theft

If you don't determine that the medical debt is either yours or a clerical error, then the situation should be treated as medical identity theft. Here are the steps to help prevent further theft.

• Request a copy of your medical record from each of your providers right away, before you notify them of any bogus charges. That way you’ll have accurate records in your possession, in case you're later denied access to protect the imposter's privacy.

• Assume financial information may be involved: Contact your bank and credit card issuers and ask them to put an alert on your accounts.

• Notify your insurance provider right away. If the charges involve Medicare or Medicaid coverage, file a report online or call 800-HHS-TIPS.

• File an Identity Theft Report with the Federal Trade Commission. If you receive phishing messages or calls that may be using your stolen medical information, report them to the FBI’s Internet Crime Complaint Center.

• If you have an identity protection plan such IDX, notify your provider right away so they can help you recover your medical identity. If you
  don’t have one, consider getting an identity protection plan that includes guaranteed identity recovery and dark web monitoring that will alert you if your medical information shows up for sale to criminals.

• Watch your credit score and credit reports carefully for any sign of other fraudulent medical debts.

• Check EOBs from your insurers even more carefully than usual.

Step 3 - Understand the risks of medical identity theft

With stolen medical information, someone can impersonate you to get care with your insurance coverage, using up your medical benefits and introducing potentially life-threatening false information in your medical record. Medical information can also be used to commit benefit fraud, or sensitive information could be used to coerce someone. While some question whether victims even need to pay off fraudulent medical debt, debt.com reports that 65 percent of victims needed almost $13,500 to pay off fraudulent bills, and 3% of the victims they studied lost their jobs as a result of medical identity theft.

(Medical data breaches also often involve financial information, so if your health insurance or medical provider has a breach, you also need to take action to defend your financial accounts.)

As with any kind of breach, try to find out what kind of information was exposed, but assume the worst.

If your medical insurance information was exposed:

• Notify your medical insurer(s) and ask to have the account numbers changed if possible.

• Review Explanation of Benefits (EOB) forms from your insurance carefully, looking for any services or treatments that the patient didn't receive. Notify the insurer immediately of any problems.

Medical information, such as diagnoses, lab or test results, medications, or medical procedures, is not typically used for direct fraud. However, if this type of information is exposed in a breach, be on the lookout for phishing scams such as an email or phone call offering free treatment or special benefits for a medical condition.