Medical Identity Theft

Medical identity theft occurs when someone uses your personal information — name, date of birth, insurance details, national health number, or social security number — to obtain medical treatment, prescription medications, medical equipment, or healthcare benefits in your name. Unlike financial identity theft, the consequences extend beyond money and can affect the accuracy of your medical records, potentially causing harm in future clinical encounters.

The information used in medical identity theft can be obtained in several ways: data breaches at healthcare providers, insurers, or health apps; phishing or social engineering campaigns that extract insurance or health ID numbers; the purchase of stolen data on criminal forums; or the actions of someone known to the victim, including family members who share an insurance plan.

The immediate consequences include unexpected medical bills, denied insurance claims for services you did not receive but which have exhausted your benefit, and collection demands for debts you did not incur. The longer-term consequence — which is the feature distinguishing this from financial identity theft — is corruption of your medical record. If someone received treatment in your name, their diagnoses, medications, procedures, and test results may now be part of your health history. In an emergency, incorrect information in your record could affect clinical decisions made about you.

Detecting medical identity theft is often delayed because there is no continuous monitoring tool for health records equivalent to credit monitoring services.

The most common entry point is a data breach. Healthcare records are highly valuable on criminal markets because they contain the combination of personal, financial, and health information needed to commit multiple types of fraud. When a healthcare provider, insurer, or health platform is breached, thousands of patient records may be sold or exploited.

Phishing campaigns targeting patients and healthcare workers use fake appointment confirmations, insurance portals, and patient account alerts to harvest login credentials for health portals, which then expose the detailed information needed.

Once the criminal has your details, they may present your insurance card or health ID at a clinic or pharmacy, obtain prescription medications for resale, receive expensive treatments charged to your insurance, or submit fraudulent insurance claims on your behalf.

Fraudulent insurance claims are a particularly common application: criminal networks submit claims for procedures never performed, using stolen patient and provider details. The money goes to the criminal, but the fraudulent procedure record — and the depleted insurance balance — remains attached to your identity.

Insider fraud is another pathway: employees at healthcare organisations with access to patient records may sell or misuse that information.

Medical identity theft is effective partly because victims often do not know where to start addressing it. Financial identity theft has well-established mitigation pathways, including credit freezes and dispute processes with credit bureaux. Medical identity theft has less standardised processes and affects records spread across multiple healthcare providers.

The complexity of healthcare billing also disguises the problem. Patients who receive an explanation of benefits showing a service they do not recognise may assume it is a billing code issue rather than fraud, delaying investigation.

Healthcare records contain more categories of information than financial records and enable a broader range of fraud, making them disproportionately valuable to criminals.

A person receives a bill from a hospital they have never attended for a procedure they have no knowledge of. They contact the hospital, which has a record of a visit under their name and insurance details. Their insurance has paid part of the bill, leaving a balance in collections. Reviewing their insurance statements, they find three further claims for services not received, which have significantly reduced their remaining annual benefit. Their health record at the hospital contains diagnoses and a medication list belonging to someone else.

You have a balance of [amount] due for services on [date]. Please contact billing to discuss payment: [fake link]

Your insurance claim for [procedure] has been processed. Please log in to review your explanation of benefits: [fake link]

We noticed unusual activity on your patient portal. Verify your identity to continue: [fake link]

Your annual benefits have been exhausted. To continue coverage, update your plan details at [fake link]

Request a copy of your medical records from your GP, insurance provider, and any hospitals or specialists you have visited. Review them for treatments, diagnoses, or prescriptions you do not recognise. In the UK, you have a legal right to access your NHS records. In the US, the Health Insurance Portability and Accountability Act (HIPAA) gives you the right to access your health records.

Request an explanation of benefits (EOB) statement from your insurer for the past 12 months and review each line item. Contact your insurer's fraud department if you see claims for services you did not receive.

Monitor your credit report for unexpected medical debt collection notices, which may indicate that someone has run up medical bills in your name.

If you receive a bill from a healthcare provider you have not visited, do not ignore it — contact the provider's billing department and their fraud or compliance team.