Preventing medical identity theft comes down to controlling who has access to your insurance information, monitoring every statement you receive, and locking down your online health accounts. Unlike financial identity theft, medical identity theft can do more than drain your wallet. It can contaminate your health records with someone else’s blood type, allergies, or pre-existing conditions, leading to misdiagnoses, wrong treatments, or dangerous drug reactions. That makes prevention especially important.
Why Medical Identity Theft Is Dangerous
When someone uses your insurance card or health information to receive care, their medical data gets mixed into your records. This is not just a billing problem. If a thief’s blood type, drug allergies, or medical history ends up in your file, a future doctor could make treatment decisions based on someone else’s body. The Journal of AHIMA has flagged this record contamination as one of the most serious risks, noting it can lead to misdiagnoses, delayed treatment, and adverse drug reactions. Cleaning up a corrupted medical record is far harder than disputing a fraudulent credit card charge.
Guard Your Insurance Information
Your health insurance card is as valuable to a thief as your credit card. Treat it that way. Keep insurance cards, enrollment forms, prescription bottles, billing statements, and Explanation of Benefits (EOB) documents in a secure place at home. When you no longer need them, shred paper documents. For prescription bottles and other hard-to-shred items, use a permanent marker to black out your name, member ID, and any other identifying details before tossing them.
Mail is a common weak point. If you still receive paper EOB statements or medical bills, pull them from your mailbox promptly. Better yet, switch to electronic delivery for insurance statements and medical bills. This eliminates the window where sensitive documents sit in an unlocked mailbox.
Be cautious about who you share your insurance information with. The FTC warns against giving medical details to anyone who contacts you unexpectedly by phone, email, or text. If someone claims to be from your insurance company or doctor’s office, hang up and call back using a number you’ve verified yourself, or log in to your patient portal directly.
Lock Down Your Patient Portal
Most health systems now offer online portals where you can view test results, request prescriptions, and message your doctor. These portals are also a target. If your portal offers multi-factor authentication, turn it on. This means logging in requires something beyond your password: a one-time code sent to your phone, a fingerprint or face scan, or a physical security key. Even if someone steals your password, they can’t get in without that second factor.
Use a unique, strong password for your health portal that you don’t reuse on other sites. Many portal breaches happen not because the health system was hacked, but because a patient used the same email and password combination that was exposed in an unrelated data breach. A password manager makes this easy to maintain across dozens of accounts.
If your portal offers biometric login through your phone’s fingerprint reader or facial recognition, use it. These methods are faster than typing a password and significantly harder for someone to replicate remotely.
Review Every Explanation of Benefits
Your insurance company sends an EOB after every claim is processed. Many people ignore these because they look like bills but aren’t. That’s a mistake. The EOB is your best early warning system for medical identity theft.
Each time you receive one, check for three things: services you never received, providers you’ve never visited, and dates when you didn’t have a medical appointment. A notice of insurance benefits for health care services never received is a recognized red flag for identity theft. Even small, unfamiliar charges matter. Thieves sometimes start with minor claims to test whether an insurance number works before submitting larger ones.
Also watch for letters from your insurer denying coverage because your benefits have been exhausted, or collection notices for medical debts you don’t recognize. These can signal that someone has been using your insurance without your knowledge.
Request Your Medical Records Regularly
Under HIPAA, you have the right to access your own medical records and to request an accounting of disclosures. This means you can ask any healthcare provider or insurer to show you a list of who has received your protected health information. Reviewing this periodically helps you spot unauthorized access you wouldn’t otherwise know about.
When you review your records, pay close attention to your documented blood type, listed allergies, and pre-existing conditions. If anything looks unfamiliar, it could mean a thief’s medical information has been merged with yours. You have the legal right to request amendments to your medical records if they contain inaccurate information. The provider has 60 days to respond to your amendment request, though they can extend that by an additional 30 days with written notice.
Recognize the Warning Signs Early
Medical identity theft often goes undetected for months or years because people don’t scrutinize health-related mail the way they watch bank statements. Here are the signs to watch for:
- Unexpected medical bills for services you didn’t receive
- Collection calls for medical debt you don’t recognize
- Insurance denials stating you’ve reached your benefit limit when you haven’t used much coverage
- Unfamiliar entries in your medical records, such as conditions you don’t have or medications you’ve never taken
- EOB statements listing providers, procedures, or dates that don’t match your actual care
Any one of these on its own could be a billing error. Two or more appearing together strongly suggests someone else is using your identity for medical services.
What to Do If It Happens
If you spot signs of medical identity theft, report it to the FTC through IdentityTheft.gov. The site generates a personalized recovery plan, walks you through each step, tracks your progress, and pre-fills the letters and forms you’ll need to send. Creating an account there is free and lets you update your plan as new issues surface.
Beyond the FTC report, contact your health insurer’s fraud department and the billing office of any provider listed on suspicious claims. Request copies of all records associated with the fraudulent services. You’ll need these to dispute the charges and to identify exactly which entries in your medical file belong to someone else. Ask your providers to flag your account so that future visits require additional identity verification.
File a police report as well. While local police may not investigate medical fraud directly, the report creates a paper trail that insurers and collection agencies often require before they’ll remove fraudulent charges from your account.