Why you should worry about health care identity theft

It can harm your financial and physical health

Published: May 15, 2015 09:00 AM

Find Ratings

Hackers, more and more, are targeting health care information. Medical identity thefts were up more than 20 percent between 2013 and 2014, according to the Ponemon Institute, which studies privacy, data protection, and information security. And almost 43 percent of breaches last year were health care related, according to the Identify Theft Resource Center. All that theft is costing millions of people time, money, and anguish—and may be putting their health at risk.

While it’s easy to understand why hackers want your credit card and bank account numbers, you may wonder why cyberthieves want your personal health information, too. “One reason is that it’s a relatively new thing to steal,” says Ann Patterson, senior vice president at the health industry group Medical Identity Fraud Alliance. “With financial and retail theft, they’ve been there, done that,” she says. But the move over the past few years to digital health records has opened up “a new channel for fraudsters."

In other cases, cyberthieves may target health data for political or personal purposes. “Hackers may seek to hurt the reputation of a health-related institution or create chaos and cause harm for activist reasons, known as ‘hacktivism,’” says Eric Perakslis, Ph.D., executive director of the Center for Biomedical Informatics and the Francis A. Countway Library at Harvard Medical School.

The lure of your health data

Of course, the main interest in health-related data has to do with money—often yours. Hackers like to steal medical information for several reasons:

1. It’s valuable

The breadth and type of information in your files at health insurers and health care providers—which can include Social Security numbers, security words such as a mother’s maiden name, your contact information, insurance ID numbers, and more—can help hackers rake in big bucks.

“Health information is sold at a premium on the black market,” says Michelle De Mooy, deputy director of the Consumer Privacy Project at the nonprofit Center for Democracy & Technology. “There are some estimates that it goes for about $50 per record.” That compares with roughly $1 or less for U.S. credit card numbers, according to the World Privacy Forum. When you consider the numbers involved in the hack of health insurer Anthem reported this February, in which some 80 million customer records were breached, that can add up to big bucks.

Hackers can use the information not only to perform old-school tricks like setting up credit cards in your name, but can also commit medical care fraud. For example, a thief can use your insurance information to obtain—and then sell—high-value medical items such as wheelchairs, to fraudulently get medical care, or simply to sell your data to someone else who wants to do the same.

Find out how you can protect yourself from health care hackers and identity thieves see our extensive guide to Internet security for more safety tips and tactic.

2. It’s easy to hide

“Medical identity theft and fraud is much harder to spot than financial fraud,” De Mooy says. If a hacker grabs your credit information and tries to charge, say, an around-the-world airplane ticket, you’re likely to be alerted pretty quickly.

If someone uses your information to get medical care, you may not know until odd charges show up on your explanation of benefits (EOB) statements from your health insurance company or invoices from health care providers. And if those statements or bills are mailed to the person who’s robbed your insurance, you may be in the dark for months. In fact, a February 2015 Ponemon Institute study of 1,005 victims of medical identity theft found that, it took them, on average, more than three months to find out they’d had their data stolen.

3. It stays valuable for a long time

Health care information also has a longer shelf life on the black market than does financial information. “Unlike a bank account or credit card account that can be shut down the moment fraudulent activity is noticed, we can’t shut down our birthdate or Social Security number,” Patterson says.

How medical identity theft can harm you

1. It can cost you a lot of money

Not only can hackers access your financial accounts, but you may face some surprising—and significant—expenses. The Fair Credit Billing Act limits your financial liability to $50 if a credit card is stolen. But there’s no clarity on who covers fraudulent medical charges.

For example, 65 percent of medical identity theft victims in the Ponemon study were forced to shell out money to resolve the issue. They spent, on average, $13,500, to pay insurers or health care providers for fraudulent care, to restore health insurance lost as a result of fraud, to pay lawyer’s fees to help them untangle the mess, or to cover fees for an identity protection service. Other financial problems identified by the study include the denial of legitimate insurance claims after fraudsters used up the identity theft victims’ benefits, and negative effects on credit scores.

2. It can be very inconvenient

Aside from financial difficulties, a wide and complex variety of issues can spring from medical identity theft. According to the Ponemon study, it took victims an average of more than 200 hours to re-secure their medical credentials. And there’s no straightforward process for reporting and resolving medical data theft problems.

“With financial information, there is a streamlined system in place to get redress,” De Mooy says. “But with health records, who do you call? Your provider? Your insurance company? You have to call everybody. Financial institutions are incentivized to have a system, because, in most cases, they’re financially responsible for theft. It’s not like that in health care.”

If someone fraudulently gets care for a condition you don’t have, for example, it can easily end up in your health records—which are quite difficult to change. “In health care, they don’t take anything out of your records,” Patterson says. “You can have a notation made to say that a particular surgery or prescription is a potential identity theft case. But often, the actual records never really get cleared up.”

Even more worrisome is that privacy regulations, which typically vary from state to state, may prevent you from even determining what a criminal has done to your medical records. “In some cases, you may be told that you can’t see your medical records because they ‘belong’ to someone else—the identity thief,” Patterson says. “They don’t want to get sued by the identity thief for disclosing private information. So sometimes, to avoid legal stickiness, records are kept private from the victim, in order to protect the privacy rights of the thief.”

3. It can harm your health

The Ponemon study found that 10 percent of survey respondents experienced a misdiagnosis because of fraud-related errors in their medical records, and 11 percent experienced delays in treatment.

For example, if a criminal’s blood type is added to your health records, you might, during a procedure, receive blood that is incompatible with yours—which can cause a life-threatening reaction. And if a fraudster’s medication allergies are placed in your record alongside your own drug allergies, that may slow essential treatment down as doctors try to untangle the information.

Diane Umansky

Find Ratings

Antivirus Software Ratings

View and compare all Antivirus Software ratings.

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Health News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more