Theft of Your Medical Records Can Be Life-or-Death Situation
Identity theft to many people is not a big deal because it has become synonymous with the minor hassle of dealing with a stolen credit card number. You get another card, and you’re not out any money. And it happens so often, we’ve become numb to data-breach headlines.
But a far more insidious form of ID theft goes beyond dollars and cents and can literally mean life or death.
Medical identity theft is when a thief steals your identity to receive medical services, buy medical products or rip off health insurers. It affects private insurers, Medicare and Medicaid.
Criminals find it far more lucrative than ripping off credit card numbers, experts say. That’s why, despite not even being acknowledged as an issue a decade ago, the crime numbers are growing rapidly.
The Medical Identity Fraud Alliance says medical ID theft rose 22 percent in 2014, to 2 million victims. About two-thirds of victims paid more than $13,000 in out-of-pocket costs to resolve the crime, according to the fifth annual Study on Medical Identity Theft by the Ponemon Institute.
Pam Dixon, executive director of the World Privacy Forum, which maintains perhaps the most extensive resources on the topic, puts the number of annual victims at 5 million to 10 million, with regional hot spots in retirement areas such as Florida and Arizona and major cities such as Chicago, New York and Los Angeles.
“This is done by major, sophisticated criminal rings,” Dixon said. “This is not mom-and-pop stuff.”
Major data breaches at large health insurers Anthem and Premera Blue Cross are recent examples.
With health insurers, unlike retailers, crooks can steal enough information to damage your financial life, including opening new credit accounts in your name — far more problematic than credit card number ripoffs. But potentially more problematic, they can mess up your medical records. If someone receives medical care in your name, your medical history can have incorrect information about allergies, drug interactions, diseases and blood type.
“Your medical file starts reflecting this fake reality and gets totally polluted,” Dixon said. “This is why when people are victims of medical forms of identity theft, they can literally have life-threatening consequences.”
If thieves are getting medical services or doing fictitious medical billing in your name, there are no laws to protect you as with financial identity theft, Dixon said. Existing medical privacy laws restrict your ability to clean up the mess, giving you no ability to correct or delete erroneous information from medical histories, she said.
“We have the right to look at our records, but we do not have the right to change our records,” she said. “It’s a serious crime, and there are no absolute cures at this point.”
She said it can take years to recover.
In the cases of health insurer data breaches, it’s not your fault and there’s little you can do to avoid it. “You cannot prevent medical forms of identity theft, unless you never see a doctor,” Dixon said.
But here are some steps to take.
■ Review insurance statements. Monitor “explanation of benefits” statements from your health insurer, looking for services you did not receive, office visits you never made or medical equipment you didn’t buy.
If you find unfamiliar items, it might indicate you’re a victim of medical ID theft, and you should contact your insurer. Don’t assume everything is OK just because you don’t owe the insurer any money.
About 80 percent of people don’t read their explanation of benefits mailing, mostly because they’re so difficult to comprehend, said Bob Gregg, chief executive of ID Experts, which sells medical identity theft services to health insurers and self-insured employers.
“That’s part of the problem, but reading them is one way to protect yourself,” Gregg said.
But sometimes fraudsters change your billing address and you won’t see the statements. So annually, request a copy of that year’s health benefits paid in your name to check for fraudulent charges, the World Privacy Forum suggests.
■ Get a copy of your electronic medical file. “It is not possible for me to state how important this is,” Dixon said. It’s difficult to reconstruct a person’s original medical file after it’s been contaminated with information from a criminal.
Ask for a copy of your medical files, at least the highlights, from the doctor you see most and those of your children too, Dixon said. It should include a list of your current medications. If your health insurer provides online access to those records, take screenshots or make printouts, she said. Some health providers might charge for the copies, and you might want to skip some pricey ones, such as copies of X-rays.
“You want a current snapshot of your body state,” she said. “People who have that baseline file come out so much better than people who don’t.”
To help get those files, the World Privacy Forum has sample letters and detailed advice on what to do if health providers refuse to give you a copy.
“Anyone who has gotten a medical data-breach letter needs to get a copy of their health care files immediately,” Dixon said.
■ Credit monitoring. Breaches of health insurers, retailers, banks and other organizations usually lead to companies offering free credit monitoring. That won’t help with pollution of your medical records but it might help with the financial side of medical ID theft if part of the breach included Social Security numbers, which allows thieves to open new credit accounts in your name.
However, credit monitoring is useless if only your credit or debit card number was stolen, as is the case in many breaches of retailers. If monitoring is free, feel free to sign up for it. You can also access your credit reports once a year at each of the three main credit bureaus at annualcreditreport.com. If you find a fraudulent unpaid health care debt, use the dispute procedures available at the credit bureaus.
Unfortunately, one recent consumer-friendly action to keep medical debts from unfairly harming the creditworthiness of consumers is likely to have a bad side effect for victims of medical ID theft.
In March, the three largest credit-reporting agencies, Equifax, Experian and TransUnion, said bad medical debts won’t be reported until after a 180-day waiting period to allow time for insurance payments to be applied. That adds delay for victims of medical identity theft who could learn of the fraud through credit reports, Dixon said.
So, regular monitoring won’t help to catch medical ID theft quickly.
■ Protect your insurance card. It won’t help people who are victims of data breaches, but in day-to-day activities, protect your health insurance card as you would your Social Security card.
It’s a good idea to keep your health insurance information with you in case of injury or health crisis. But instead of carrying the card, Dixon recommends photocopying the insurance card and blacking out the last four digits. If there’s an emergency, a hospital or care center can call the insurer and get the information they need to provide treatment, she said. When going to a scheduled doctor visit, just take the card with you, she said.