What is medical identity theft and how can you avoid it?
While an average of 15 million Americans a year become victims of identity theft, there's an offshoot branch of this type of white-collar crime that's less talked about: medical identity theft. While not as ubiquitous as other varieties of this crime, medical identity theft is increasing, as cases "reported to the Federal Trade Commission (FTC) rose from about 6,800 in 2017 to nearly 43,000 in 2021," according to the AARP. What are the hallmarks of medical identity theft, and how can people protect themselves from it?
What is medical identity theft?
While there's no singular definition, medical identity theft occurs when someone "steals or uses your personal information (such as your name, Social Security number or Medicare number) to submit fraudulent claims to Medicare and other health insurers without your authorization," the U.S. Department of Health and Human Services reported. However, it's not limited to the submission of insurance claims, as thieves have also been known to use "personal or financial information to get medical care … or a prescription," according to the University of Illinois.
Medical identity theft can occur much in the same way regular identity theft does. It can happen "after your wallet is stolen, when your account is hacked or if someone with legitimate access to your information, such as an employee at your clinic, takes advantage," according to credit bureau Experian.
There are also scenarios in which an internal breach at an insurance company can lead to information being compromised. In 2022, 370 data compromises released medical insurance account numbers, and 465 compromises released personal medical records, the Identity Theft Resource Center stated in its annual report.
How much damage does it cause?
The associated costs can be exorbitant. At least 65% of medical identity theft victims had to "pay an average of $13,500 to resolve the crime," according to a 2015 study from the Ponemon Institute and the Medical Identity Fraud Alliance (MIFA).
In terms of stolen data from breaches, the medical industry also has the highest cost per stolen record at $429, Statista reported. The second-most common sector affected, financial services, had a cost per stolen record of just $210, according to Statista.
Some government sources even estimate the price of medical identity theft to be much higher. Georgia's Office of the Attorney General believes the "average cost of medical identity theft is approximately $22,346," almost twice as much as the aforementioned MIFA study. Conflated with the number of Americans affected yearly, "the estimated annual cost of medical identity theft is $41.3 billion nationwide," the attorney general's office reported.
What can people do to avoid it?
The most obvious thing is to "keep your medical records, health insurance records and any other documents with medical information in a safe place," according to the Federal Trade Commission. This includes documents such as health insurance enrollment forms, health insurance cards and prescriptions, the FTC stated, as well as "billing statements from your doctor or other medical provider" and "explanation of benefits statements from your health insurance company." Even prescription bottles should be kept away from prying eyes.
When it's time to get rid of these documents, the FTC reported, deal with them similarly to how any other important papers would be handled. Specifically, "shred them before you throw them away. If you don't have a shredder, look for a local shred day," the FTC said. "If it's something that's hard to shred — like a prescription bottle — use a marker to block out any medical and personal information."
It's also a good idea to "treat your insurance identity information as if it were a credit card account number," Pam Dixon, the executive director of the World Privacy Forum, told Brain & Life magazine. This means being cautious at "health fairs, which can be staged, and of phone solicitations," Dixon added. And stay vigilant at the doctor's office, noting if other patients' records are visible or if employees leave confidential information on their computer screens when getting up. If medical information is stolen, Dixon recommends being patient, as it "usually takes about two years" for finances to be resolved.
