There is a lot you can do to avoid medical identity theft and to reduce its negative effects if your personal data is stolen. Here, the proactive steps to take to keep your private health information out of the reach of hackers and other would-be thieves, advice on spotting the signs of a potential problem, and how to proceed in the event of a theft.

10 Ways to Guard Against Medical Identity Theft

1. Get copies of your medical records and add new information each time you receive treatment. If your records are corrupted by a thief, you’ll have proof that they were altered. “The victims I’ve talked with tell me that their deepest regret is that they didn’t have a copy of their files before the incident,” says Pam Dixon of the World Privacy Forum, a nonprofit public interest research group.

2. Check your medical records at least once annually. If you notice an error, alert your healthcare provider and request a change.

3. Read every explanation of benefits (EOB) notice from your insurer. If you see something fishy, call about it right away.

4. Be careful with your Social Security number. Keep your SSN out of your medical file, and if you’re asked for it at the hospital or doctor’s office, tell them you’d rather not share it for security reasons. That isn’t possible if you’re on Medicare, where your SSN is currently on your card. Be careful with your insurance ID number as well.

5. If your doctor or hospital asks you to scan your driver’s license or other government-­issued ID, question whether it’s necessary and resist. If that information is stolen along with your medical data, it can increase your chance of identity theft.

6. If you lose your health insurance card, call and ask for a new ID number and new card, advises Larry Ponemon of the Ponemon Institute, a private cybersecurity ­research firm.

7. Never share your health data or personal information over the phone or in an email unless you’re sure who you are communicating with. Questionable emails soliciting that information, known as phishing, often look official but are from hackers. And don’t fall for phone scams asking for your Medicare or health insurance ID number.

8. Don’t share health information on websites and apps, where it may be less secure.

9. Know that the practice of allowing friends or family members to use your insurance ID is illegal.

10. Ask your healthcare providers how they safeguard your information. “If you see medical records screens up and people walking away without locking them, it’s a clue that they don’t take privacy seriously,” says healthcare attorney Clinton Mikel, chairman of the American Bar Association’s eHealth, Privacy & Security Interest Group.



4 Medical Identity Theft Warning Signs

1. You receive an explanation of benefits summary or health provider bill listing medical treatments you never received.

2. A debt collector starts contacting you about unpaid medical bills that you didn’t incur.

3. Your health insurer informs you that you’ve reached your benefit limit when you know you haven’t, or a letter arrives denying a claim you never filed for a medical condition you don’t have.

4. You check your credit report and see collection accounts you don’t recognize. 


9 Actions to Take If It Happens to You

1. Call the facility where the fraud may have happened. “It’s always possible that there has been a clerical error, so establish that the fraud has occurred,” says Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center (ITRC).

2. File a police report. “It’s the tool that establishes that you’ve been the victim of a crime,” Velasquez says.

3. File an identity theft report with the Federal Trade Commission. You’ll receive a step-by-step recovery plan that will help guide you. The ITRC also offers free help. Suggestions are likely to include a security freeze, which prevents potential lenders from accessing your credit report.

4. Contact your insurer. Some have fraud hot­lines where you can report the problem.

5. Ask your healthcare providers for copies of the medical records they have for you. Some state laws make it easier for you to get copies of your medical records, so check healthinfolaw.org for information on your area.

6. Healthcare providers should respond within 30 days of receiving your written request. If your request is refused because of privacy law, contact the provider and explain that you suspect a crime has occurred. It is your right to see your medical records, even if a thief’s information has been added. Report problems obtaining medical records or privacy law violations at the Office for Civil Rights.

7. Review your medical records (and any explanation of benefits notices you receive after the theft) for errors and notify the related health plans or providers by certified, return-receipt mail. Note the incorrect information and ask that it be changed. Include a copy of your police or identity theft report and follow these steps from the ITRC.

8. Ask your insurer and medical providers for an accounting of disclosure for your medical records. That tells you which other providers received your medical records so that you can also contact them.

9. Hold on to all relevant documents, and after each conversation note the name of the person you’ve spoken with as well as the date.

Editor's Note: This article also appeared in the October 2016 issue of Consumer Reports magazine.