Alexis Moore got a surprise a few years ago when she went to the doctor, and it had nothing to do with her physical health. "I needed a CT scan of my head and sinus, and when I handed them my insurance card, they told me I had no coverage," she recalls.

Her identity had been stolen. The addresses on her credit card and bank accounts had been changed without her authorization, and her health and auto insurance had been canceled. "I spent over 100 hours on the phone in one month trying to get help from the insurance company and to find out what was going on," says Moore. Meanwhile insurance payments were delayed, or radiologists, pharmacies and doctor's office got letters saying she had no coverage.

"I was not only humiliated, I was having to advocate and plead with these providers to rebill my insurance and help me. Frustrated with having to rebill, they wouldn't and my medical bills skyrocketed," says Moore, who estimates the confusion over the bills cost her $10,000 to $20,000 out of pocket. But even higher, was the emotional cost of the more than two years it took to get her life back in order.

Her response to the ordeal puts it in perspective: Moore founded Survivors in Action, a national nonprofit advocacy group that supports victims of any crime.

Posing as You to Suck Your Benefits Dry

What happened to Moore was a less well-known type of identity theft called identity theft as abuse, but she's just one of an ever-growing number of victims of medical identity theft. According to a recent Ponemon Institute study, about 1.5 million Americans have suffered from medical identity theft, at a total cost of about $29 billion, or approximately $20,000 per person.

Medical identity theft begins when someone gains access to a victim's personal information, and fraudsters can rack up medical charges quickly, leaving insurance companies and Medicare on the hook, and victims owing co-pays for services they never received. Not only can this result in huge financial losses, but the co-mingling of two patients' information can lead to serious errors in records (blood types can change, allergies appear or disappear), misdiagnosis and fatalities.

It's not that hard for a medical identity thief to get started: Items can be taken out of your home or office that make it fairly easy for someone to pose as you and drain your medical benefits, warns John Sileo, author of Privacy Means Profit: Prevent Identity Theft and Secure You and Your Bottom Line. Then too, such data theft can also be an inside job.
"There is a case of a Boston psychiatrist and another of a receptionist in Cleveland who were stealing patient information. The Los Angeles police stated once that gang members were getting their wives and girlfriends jobs in pharmacies, medical and dental offices, with the goal of thieving patient information," says Levin. A major home health care ring in New Jersey was misusing patient information. And the risk goes beyond medical providers: Insurance agencies, government agencies, private sector human resource departments and outside consultants often retain digitized medical records to keep track of their clients and employees. In one high profile case in 2009, a hacker stole 8.3 million patient records and demanded a $10 million ransom, reports Adam Levin, co-founder of Identity Theft 911, a data breach management company.

"Paper medical records create serious privacy threats for patients," says Ryan Howard, CEO of Practice Fusion, which provides free electronic medical record systems to physicians. "They can be easily be lost or stolen, accessed inappropriately with no safeguards. Patient medical data is safer with electronic medical records than with paper charts. Period."

Then too, sometimes the perpetrator is someone close to the victim.
Emily, who declined to provide her last name, says she had no clue how her medical identity was stolen. "I only discovered it when I got a bill in the mail for an emergency room visit. I've never been to the ER in my life," she says.

You may be keenly aware of the need to safeguard your financial information: The same care is required of your medical records. Here are some steps to take to protect yourself.

Be savvy about how your information can be misused
. Opportunities abound. An article in DarkReading talks about emerging social networking sites for people with medical conditions like, and, where people can post profiles similar to those on Facebook. Users are posting photos, hometowns and personal health information -- information that in the wrong hands can be abused. Don't provide your insurance information to anyone over the phone or Internet unless you are absolutely positive that the person with whom you are communicating is legitimate.

"Scam artists posing as insurance companies, doctor's offices or pharmacies may contact you and sound legitimate, but the best course of action is to never give your information out unless you are absolutely convinced it is legitimate. Be skeptical," says Steve Weisman, a professor at Bentley University and author of The Truth About Avoiding Scams.

Review medical bills closely. Medical bills and insurance statements may contain important signs that you are a victim of medical identity theft. Check the itemized costs. If something look suspicious, investigate by calling right away, advises Levin.

Check your medical records.
You check your credit report, and you should do the same with your medical records. Always review your Explanation of Benefits. If you find activity that appears to be incorrect, call your insurer and your medical provider. Also obtain, once a year, a "benefits request" from your insurance company. This is a list of benefits paid for in your name by the health insurance. Follow up with the insurer if you find anything suspicious, advises Jeremy Miller, director of operations at Kroll Fraud Solutions. If you receive a collections notice for medical services or equipment that you never received, call your medical services provider.

Ask questions. You're the customer here. Be informed and understand what slice of your information and identity is secured. Ask your doctors if they do ePrescribing, whether they store your information electronically, and if they do, how is it protected? And if they are still using paper, how is that information disposed? These are just some of the questions you should ask, says Dave Miller of Covisint, a company that provides health care IT services.

Speak up. You can request that your health care company use an identification number other than your social security number. "The provider has to comply with your request, since according to the Social Security Administration rules, only the SSA and the IRS can require you to use your true SSN," says Jon Heimerl, director of strategic security at Solutionary, an information security company. Just be aware that using an "alternate ID" can extend claim processing by months, Heimerl warns. Decide if it's worth it for your peace of mind.

Sign with care. Don't automatically sign anything. Read the HIPAA forms in full. You're signing away your rights to privacy -- essentially, enabling the doctor to share your information with whomever she wants. Know where your data will be stored and how it may be shared. "If you don't like it, tell your doctor your concerns before signing it," says Dave Miller. You can also request that your health care providers send you a HIPAA Accounting of Disclosure, which is a list of entities that have received your health care information for uses unrelated to treatment and payment. A disclosure is available to you every 12 months, and it's free.

Know your rights
. If you are a victim of medical identity theft, you have a right to get a copy of your records from any of your medical care providers. Get those records and review them. Federal law provides you with the right to have your records amended to remove inaccurate information, says Weisman. This is particularly important because information in your medical report that reflects the condition of someone else could effect your own medical care.

Also, request an accounting of disclosures so you know everyone who has received a copy of your medical records. This way, you can identify who has received the compromised records and contact them to correct their records. You should also file a police report and put a freeze on your credit report, adds Weisman. He also recommends checking out the Identity Theft Resource Center, which offers information on medical identity theft.
"This is just the early stages of becoming a problem," warns Sileo. "It will continue to increase exponentially over the coming years."

Increase your money and finance knowledge from home

How to Buy a Car

How to get the best deal and buy a car with confidence.

View Course »

Economics 101

Intro to economics. But fun.

View Course »

Add a Comment

*0 / 3000 Character Maximum


Filter by:

In my opinion, one of the biggest reasons for this problem is that we've been giving our SS #'s to just about everyone for so many decades. It was never supposed to be a form of I.D., but it happened and the consequences of fraud and ID theft have been horrific..........Also, many health insurance cos. were using our SS# as the member i.d. number.

October 18 2010 at 4:14 PM Report abuse +1 rate up rate down Reply

There is one flaw here. You have a right to your medical record, not IF YOU HAVE identity theft. You have the right.

October 18 2010 at 2:47 PM Report abuse rate up rate down Reply

We routinely get copies at the following doctor's visit from all tests done. If there is something awry, I would tell them immediately. Since we live some distance from our doctors, and because we have the right to see our files, and accuracy is the best policy in proper treatment, we get our files. Our docs are completely comfortable with this, and most places have gone to computerized files, it is good practice to have a hard copy.

October 18 2010 at 2:44 PM Report abuse rate up rate down Reply

If you have witnessed what I have, this is no surprise. Medical records are faxed, they are sent to incorrect numbers, to people who are not waiting at the other end to receive them. Medical records are put in the waste baskets in offices with the face sheet-doctor copies for housekeeping to throw in the dumpsters-they don't care.(Face sheets have all the data regarding the patient. When signing up at a dr's never give mother's maiden name, for one. They'll still treat you. The things I've witnessed were at hospitals in Detroit area. It is not just one complex, I worked for 2 different hospital groups. It is harder for a lawyer to jump through the hoops to get medical records than a thief or janitor. Granted, the last I worked was 10 years ago, but I can bet the problems still exist. There are certain protocols to follow and putting things in the trash isn't one of them, I saw it repeatedly. I pulled out my own record from the trash and took that home to the shredder. Some doc does research, gets copies and doesn't dispose properly, he's leaving, and doesn't care. It happens. I take privacy very personally and patient confidentiality even 50 years past should still be confidential because it involves families. Copies made must be disposed of properly. I really do not trust the shredding vans that come and collect all sorts of data from banks, hospitals, lawyers, etc. In academics we were so careful to shred, with this very nifty razor shredder, every record ourselves, then it was picked up. If we were so careful, why wasn't a hospital or outpatient clinic just as responsible with patient sensitive data? It should be. I heard of a case of a Canadian girlfriend using an exwife's identity to have surgery. The person didn't pay the co-pay and the ex wife got the bill. I said it is a jailable offense and that she should report that for many of the reasons here. The woman's time had expired, she was not in this country legally and there was a whole list of things that needed sorting. If it happens, report it. Everyone insured pays for the fraud.

October 18 2010 at 2:24 PM Report abuse rate up rate down Reply

Some New Identity Thieves are Unlikely Culprits You could be getting your identity stolen from the people you trust the most – your parents.

October 18 2010 at 1:17 PM Report abuse rate up rate down Reply

I stopped giving doctors' offices my Social security number years ago. There's no need for any medical office to have it. Medical offices get their computers stolen with patients' info all the time. Many places that say they require it actually don't.

October 18 2010 at 11:59 AM Report abuse +6 rate up rate down Reply

For the latest nominee for the Self-Serving Award of the year, I nominate: Ryan Howard. "Paper medical records create serious privacy threats for patients," says Ryan Howard, CEO of Practice Fusion, which provides free electronic medical record systems to physicians. "They can be easily be lost or stolen, accessed inappropriately with no safeguards. Patient medical data is safer with electronic medical records than with paper charts. Period." He's the CEO that makes his living off electronic medical records. Do you expect he'll say they are not safer than paper records? As a health care provider, my client paper charts and files are locked, in one place. You need not worry that some hacker from overseas will gain access. Can Mr. Howard say the same? Electronic Health Records are seen by at least 27 people (on average), and that's mostly insurers. If businesses using credit card billing have prisoners, or overseas employees, handling electronic transactions, can health insurers be far behind?

October 18 2010 at 11:51 AM Report abuse +3 rate up rate down Reply

these people just want to sell your info to the illegal mexi's so that they can have future cockaroaches on your dime..... and our government wants it to happen. throw them all out!!!!!!

October 17 2010 at 10:26 PM Report abuse -5 rate up rate down Reply