In July, at least 11 million HCA Healthcare patients’ personal information was stolen and made available for sale on a data breach forum. HCA confirmed the breach on July 10 and warned patients that their full names, cities, and details of their last medical visits were compromised.
But why would thieves want people’s medical records? These private documents can be used to engage in “medical identity theft” to commit insurance fraud, see doctors on your dime, and get access to a variety of prescription drugs.
For Evelyn Miller, it started with suspicious texts and phone calls. Emory University Hospital emergency department contacted her about wait times and test results, despite no longer living in the area and not having used the hospital system in years, she told NPR. Miller’s identity had been misused, resulting in being billed over $3,600 — after which she contacted the hospital’s billing department and privacy officer.
“It amazed me someone could get registered with another person’s name and no ID was checked or anything,” Miller told the outlet.
Ultimately, the hospital removed the charges and it remains unclear if Miller’s identity had been stolen, or if another patient had the same name and it was merely an administrative error. Still, her case serves as a warning sign for thousands who fall victim to medical identity theft annually.
While medical identity theft is less common than other forms of fraud with about 28,000 cases in 2022 according to the Federal Trade Commission (credit card fraud had over 400,000), the ramifications can be vastly consequential.
Medical identity thieves may not only steal personal data, such as Social Security numbers and addresses but also access medical records and health insurance, posing significant health risks.
Related: Cyber Attacks Are on the Rise in Hospitals, Incidences Have More Than Doubled in 5 Years
“Sometimes people can’t get their prescriptions, if their records are mixed with someone else’s,” Eva Velasquez, president and CEO of the Identity Theft Resource Center, told NPR. “Maybe you won’t be able to get the treatment that you need. There are serious implications.”
Evelyn Miller kept receiving notifications from Emory University Hospital about appointments and test results despite not living in the area. John E. Davidson | Getty Images
Velasquez also added that often victims don’t even know their identity has been stolen and only discover the news through ruined credit scores due to unpaid medical bills.
“The majority of victims find out when they’re trying to move on with their lives if bills have gone to collections,” she told the outlet.
Medical identity theft can also be used by criminals to file fraudulent claims or commit insurance fraud on a massive scale, stealing millions from Medicare or Medicaid.
What Can Be Done to Prevent Medical Identity Theft?
While banks have long dealt with identity theft and have systems in place to detect suspicious activity indicating fraud, no such systems currently exist for healthcare.
John Riggi, a national adviser for cybersecurity and risk for the American Hospital Association, told NPR that hospitals should adopt similar fraud protection systems to financial institutions to flag patterns or activity that raise red flags before the fraudsters “flee with the money, and the individual is left to deal with it.”
As far as individual preventative measures, the FTC suggests:
- Keeping documents containing medical data, like health insurance records and prescriptions, in a secure place and shredding them before disposal.
- Limiting medical information received by mail by opting for online statements.
- Asking for alternative identifiers before giving out your medical information or use only the last four digits of your Social Security number.
- Only access medical accounts through trusted websites or contact the providers using verified phone numbers.
Related: People Are Impersonating Homeowners to Take Out Mortgages and Steal the Money. Here Are the Best Ways to Stop It Happening to You.