Health Information Identity Theft

Most people have endured having a credit card stolen along with the aggravation and inconvenience that goes along with it. The financial institution is usually responsible for the fraudulent charges and the victimized consumer deals with the aggravation of updating billing relationships with the new account number and requesting fraudulent charges be removed by the card issuer.  Sadly, this type of inconvenience has become too commonplace. However, short of a full blown identity theft, it remains an inconvenience which can be reasonably dealt with. The same cannot be said for stolen healthcare account information.

With increasing use of digital healthcare records, the likelihood of information theft has increased. In fact, earlier this year, Investor’s Business Daily reported that along with financial exchanges and law firms, healthcare information is being increasingly targeted by criminals. However, compared with theft of financial information, the impact of stolen healthcare information can be much more detrimental and the resolution even more difficult.

For example, a compromised account with a healthcare provider can result in both identity, account, and insurance information being stolen. The impact of this could mean that healthcare services are obtained using our identity and account information which can not only result in fraudulent charges and bills, but also introduce very damaging and embarrassing information into our electronic health record which can then be shared with other related parties. For example, health information can be corrupted with illnesses for which we have not had, medications we did not take, etc. Such misinformation can find its way into insurance and other databases and we may find ourselves declined for life insurance or even failing a background check when purchasing a firearm for mental illness we have never had. Besides the embarrassing and inconvenient impact, there could be life threatening impact as well caused by confusion over prescription medications and other inaccurate health history when we do seek legitimate care.

What is our best course of action to defend against health information identity theft? As with theft of financial information, many of the actions are the same for health information identity theft. However, the steps are not as easy to implement and will most likely require more time spent to resolve.

Common sense steps can be taken to protect our health information such as not sharing our insurance ID information with anyone whom we are not sure to be a legitimate provider. Also, since many insurance companies and healthcare providers provide us with online account information, we should use strong passphrase which are different from other account logins when accessing these sites.

When protection fails, as it eventually will, the critical element is to detect and respond to the matter before we suffer substantial harm. Vigilance and regular monitoring are essential activities. In the same way we review our credit card and bank statements scrutinizing for charges we did authorize or withdrawals we did not make, we also need to scrutinize medical statements and in particular, the Explanation of Benefits statements we receive from our health insurance provider. While many line item charges are sometimes difficult to understand since the line items correspond to standardized billing codes for procedures, we should question anything we do not understand or even suspect may be inaccurate. Ensure that the services and dates are actually for care we or our family members have actually received and challenge anything in question.

As is also the case with financial theft, another clue alerting us to health information identity theft is receiving a bill from an unknown provider we have never used and for procedures and care we did not receive. Worse, these bills can often go to collection agencies. Challenge all such inaccuracies in writing and keep copies of all written correspondence.

Once inaccurate information finds its way into our medical history, correcting the information can become complicated. While the process is similar to challenging inaccuracies in a credit report, the difficulties lie in the reality that we need to deal with each medical provider for each record, and once someone else’s information becomes co-mingled with our records, healthcare providers may try to prevent us from seeing our own medical files under the guise of protecting the information belonging to the party who stole our information and identity in the first place. This challenge can be very frustrating and require insistence and persistence. In addition, correcting mistakes can become costly as providers can require us to pay for copies of our medical records, unlike credit reporting agencies who must provide us with free copies of our file in such circumstances.

While we may not be able to overcome the cost challenge, we absolutely can remove the roadblocks with providers who seek to protect the identity of the thief to our detriment. Determine who at the provider handles privacy matters and determine the appeal process. We should then appeal the refusal in writing, demanding access to our medical file which we have every right to receive. If the provider still has not provided us the requested information within 30 days, file a complaint with the Department of Health and Human Services as our civil rights are being violated by the provider’s refusal.

After receiving copies of our file and identifying incorrect information, the process to correct the inaccuracy is similar to correcting inaccurate information on a credit report. Write to each provider, explaining the inaccurate information along with sending a copy of any document supporting our claim. Ask the provider to correct and/or delete the errors.  We should also retain all original copies of documents. All correspondence should be sent certified mail with receipts and retained for our records.

The provider is required to correct any inaccurate information in our file and also to inform labs and other providers who may have received inaccurate information. If the provider refuses to make changes after we notify them of inaccurate information, demand it to include your own statement be included in the file and record.


Other steps are the same or similar to responding to financial identity theft:

  • Order free copies of credit reports and check for errors
  • File a police report
  • File a Fraud Affidavit
  • Provide health insurance companies with copies of police report and fraud affidavit.
  • Continue to monitor

Protecting ourselves from health information identity theft requires vigilance and thinking in terms of when, not if it will happen. Timing is critical as detecting and responding quickly can mean the difference between nuisance and aggravation or a bigger disaster to overcome.

Is your business protected against cyber criminals?  Find out more.

Comments are closed.