If someone has used your personal information to get medical care, prescriptions, or insurance benefits in your name, you need to report it to multiple agencies and take steps to protect both your finances and your medical records. Medical identity theft is uniquely dangerous because it can alter your health files with someone else’s diagnoses, allergies, or blood type. Here’s exactly what to do, in order.
Recognize the Signs First
Medical identity theft often goes undetected for months or years. The most common red flags show up in your mail: a bill for medical services you never received, an Explanation of Benefits (EOB) statement listing procedures or office visits you don’t recognize, or a collection notice for medical debt you didn’t incur. You might also notice your insurance company denying a legitimate claim because your benefits have been maxed out by someone else’s care.
Less obvious signs include a new condition or medication appearing in your patient portal that doesn’t belong to you, or being told during an appointment that your records show a medical history that isn’t yours. If anything looks wrong, act quickly. The longer fraudulent information sits in your medical records, the harder it is to untangle.
File a Report With the FTC
Your first formal step is reporting the theft to the Federal Trade Commission at IdentityTheft.gov. Complete the online form with as many details as possible: dates of fraudulent charges, provider names, and any documentation you have. Based on what you enter, the site generates two things you’ll need going forward: an Identity Theft Report and a personalized recovery plan with specific steps tailored to your situation.
If you prefer not to use the website, you can call 1-877-438-4338 to file by phone. Keep your Identity Theft Report number. You’ll use it when dealing with creditors, insurance companies, and credit bureaus.
Contact Your Health Insurance Company
Call your insurer’s fraud department to report that someone has filed claims using your information. For most private insurers, the number is on the back of your member ID card. Blue Cross Blue Shield members can also use the fraud hotline at 1-877-327-2583, and federal employees or retirees can call 1-800-337-8440.
If the theft involves Medicare, call 1-800-MEDICARE (1-800-633-4227) or report it online at Medicare.gov. For Medicare Advantage or Medicare drug plans, there’s an additional line through the Investigations Medicare Drug Integrity Contractor (I-MEDIC) at 1-877-772-3379.
Ask your insurer to flag your account for fraud and send you a complete list of claims filed under your name. Review every entry carefully. This list becomes your roadmap for identifying which providers have contaminated records.
Request and Review Your Medical Records
Contact every doctor, clinic, hospital, pharmacy, laboratory, and insurance company where the thief may have used your information. Explain the situation and request copies of all medical records associated with your name. You may need to fill out records request forms and pay copying fees, but getting these documents is essential.
Some providers may initially refuse to release records, citing the identity thief’s privacy rights. This sounds absurd, but it happens. If a provider refuses, file an appeal with the person listed in that provider’s Notice of Privacy Practices. You can also contact the facility’s patient representative or ombudsman to escalate the request.
Correct Fraudulent Medical Records
Once you have copies of your records, report every error to the relevant healthcare provider in writing. Include a copy of the specific record showing the incorrect information and explain clearly why it’s wrong. Send your letter by certified mail so you have proof it was received and a record of the date.
Under federal privacy law (HIPAA), healthcare providers must act on your correction request within 60 days of receiving it. If they need more time, they can request a single 30-day extension, but they must notify you in writing with a reason for the delay and a specific date by which they’ll respond. Providers are also required to notify other healthcare entities that may have the same incorrect information in their systems. Follow up if you don’t hear back within the 60-day window.
This step matters beyond billing. If a thief’s blood type, drug allergies, or chronic conditions end up in your chart, it could lead to a dangerous treatment decision during a future emergency. Don’t treat this as paperwork you can get to later.
File a Police Report
Report the theft to your local police department. Bring your FTC Identity Theft Report, any fraudulent bills or EOB statements, and a written timeline of what happened. Some police departments are more experienced with identity theft than others, and you may need to be persistent about getting the report filed. A police report strengthens your case when disputing fraudulent debts and can be required for certain protections down the line.
Protect Your Credit
Medical identity theft frequently turns into financial identity theft. Unpaid fraudulent medical bills get sent to collections and damage your credit score. You have two main tools to protect yourself: fraud alerts and credit freezes.
Fraud Alerts
An initial fraud alert is the easiest first step. Contact just one of the three credit bureaus (Equifax, Experian, or TransUnion), and that bureau is required to notify the other two. An initial alert lasts one year and prompts lenders to verify your identity before opening new accounts. Once you’ve completed your FTC Identity Theft Report or police report, you qualify for an extended fraud alert, which lasts seven years.
Credit Freezes
A credit freeze is stronger. It blocks anyone from opening new credit accounts in your name entirely. Unlike fraud alerts, you must contact all three credit bureaus individually to place a freeze. Freezes are free and stay in place until you remove them. You can temporarily lift a freeze when you need to apply for credit yourself.
Check your credit reports from all three bureaus for any medical debt you don’t recognize. If fraudulent accounts appear, dispute them directly with the bureau using your FTC Identity Theft Report as documentation.
Keep Detailed Records of Everything
Throughout this process, save every letter, email, fax confirmation, and phone log. Note the date, time, and name of every person you speak with. Medical identity theft cleanup is rarely resolved in a single call. It typically involves multiple providers, insurers, and agencies over weeks or months. Having a paper trail protects you if a provider misses their correction deadline, a debt collector ignores your dispute, or a fraudulent charge resurfaces after you thought it was resolved.
Request a fresh copy of your medical records from each affected provider after corrections are made. Verify that the fraudulent information has actually been removed, not just flagged. Store clean copies somewhere accessible so you can reference them during future medical visits if old records resurface in a system.