Medical Identity Theft (Data-Focused)

Medical identity theft occurs when someone uses your health insurance credentials, national health identifier, or medical records to obtain healthcare services, prescription medication, or reimbursement payments they are not entitled to. Unlike financial identity theft, the damage here is not limited to your credit file: your actual medical record can be contaminated with another person's diagnoses, medications, allergies, and blood type — information that could lead to dangerous clinical decisions being made on your behalf.

In the US, Medicare fraud is a major driver of medical identity theft, with criminals billing the programme for services never rendered, equipment never supplied, or procedures performed on patients who never consented. In the UK, NHS identity fraud involves the misuse of NHS numbers to access treatments, prescriptions, or to fraudulently claim benefits linked to medical status.

The downstream consequences can include unexpected medical bills, insurance claim denials due to 'pre-existing conditions' you do not have, treatment delays because your records contain incorrect information, and damage to your insurance standing. Correcting a contaminated medical record is significantly harder than disputing a credit account.

Medical personal data is among the most valuable information sold on criminal markets, typically commanding a premium over financial data because it cannot be cancelled like a credit card. Fraudsters obtain it through healthcare data breaches, phishing campaigns targeting patients or healthcare staff, theft of physical insurance cards, or by bribing insiders at medical facilities.

With your insurance details in hand, a fraudster visits a clinic or contacts a pharmacy using your name and identifier. They receive treatment, obtain controlled prescriptions, or arrange for expensive durable medical equipment to be billed to your insurer. Alternatively, they file fraudulent insurance claims directly, providing enough of your real data to pass the claim's validation checks.

Because most patients do not scrutinise their Explanation of Benefits (EOB) statements carefully, the fraud can continue for months. Discovery often happens incidentally — during a routine medical appointment when the doctor mentions a procedure you have no memory of, or when your insurer denies a legitimate claim because you have 'exhausted your annual limit'.

Medical records are extremely valuable on criminal markets because they contain multiple identity data points in one place and cannot simply be cancelled. Healthcare systems, which prioritise patient access and continuity of care, have historically been slower to implement strict identity verification than financial institutions. Patients rarely scrutinise their EOB statements with the attention they give bank statements, creating a large window for undetected fraud.

Your [Insurer] Explanation of Benefits: claim for [Procedure] at [Facility] on [Date], billed amount [Amount]. If you did not receive this service, call our fraud line.

Past-due notice: [Medical Provider] is owed [Amount] for services rendered on [Date]. Please pay immediately or contact our billing department.

Your [Pharmacy] prescription for [Medication] has been filled. Pickup available at [Location]. Reply STOP to unsubscribe.

[Medicare]: our records show you received [Equipment] from [Supplier] on [Date]. If you did not receive this, call [Number].

Your annual out-of-pocket maximum has been reached. Further claims this year will not be reimbursed.

Review every Explanation of Benefits statement from your insurer as soon as it arrives. In the US, Medicare beneficiaries can review claims at MyMedicare.gov. Request copies of your medical records annually from your GP or primary care physician and check for diagnoses, medications, or procedures you do not recognise. If your insurer offers it, sign up for EOB delivery by email to receive faster notification of new claims.