How to avoid and protect against medical identity theft

Medical identity theft is real and spreading. Read our guide to learn how to stay safe.

There is no doubt about the fact that the vast majority of cases involving data breaches happen because healthcare companies mess up.

No one should blame the customer in this case.

However, just because customers are free from blame doesn’t mean that they can’t do something about it to prepare for the worse.


We said, you need to prepare for the worse.

Here are some things you can do right now to protect yourself against medical identity theft.

  • Use a VPN service
  • Delete receipts and prescriptions
  • Stop sharing everything on social media
  • Stop sharing your medical insurance
  • Pay as much attention to the security of your medical information as your SSN
  • Keep an eye on your credit report.
  • Keep your eyes open for any suspect correspondence
  • Start talking regularly with insurance providers.

Use a VPN service

More and more health insurance providers along with doctors’ offices and various other medical institutions in addition to labs make use of hundreds of online accounts.

Some use even more.

Now, our readers should already know that if they are trying to log in to a given website while they have connected to a public WiFi network, there is a high chance that a cybercriminal or a hacker could steal their login credentials along with plenty of other stuff.

Hence, the best course of action here is to avoid making attempts in accessing such websites altogether.

That holds true especially when you are trying to connect to a public WiFi network.

However, if you feel that there is no other way for you but to connect to such a given website then make sure that you are

to encrypt your online internet traffic properly.

Click here to know more about the best VPNs in the world.

Delete receipts and prescriptions


This tip is for people who have no problems going to the pharmacy, buying their stuff and then leaving but do have a problem when it comes to dealing with their bulky pharmacy bag.

Our recommendation is that you should hold on to the bag no matter how big or inconvenient it feels at least till you get home.

Then you can think about how to dispose of the bag properly.

Remember, there is no guarantee that someone would not just stumble onto your trash bag (or wherever you toss your trash) and decide to have a look.

If a random person does that then there is no guarantee that he/she would not glean as much information as desired in order to commit a malicious act.

The malicious act that we are concerned with, in this guide, is medical identity theft.

If you are not careful, some stranger could end up with all of your health insurance forms along with treatment prescriptions and medical receipts.

You may not realize this right now but these documents are pretty much as important as your financial documents.

If you think you do not need these documents then instead of throwing them out like trash you need to shred them.

Moreover, do not forget about handling prescription labels on packaging materials and bottles.

Make sure you shred those as well.

If you do not want to do that, then at least make all the sensitive information illegible.

Whatever you do, just don’t throw these things out as they came to you.

Stop sharing stuff on social media

This tip can come in handy in a variety of situations and not just when it comes to protecting yourself against medical identity theft.

With recent revelations on how social media platforms make use of user data, everyone should work hard and take precautions when trying to share anything on social media.

Of course, there is nothing wrong with sharing something about your medical condition with close friends and family.

But try not to make a habit of sharing such details publicly.

Hackers and other cybercriminals now have all the tools necessary to collect user information including the user’s medical history.

They can also pair all that information with the user’s date of birth along with other pieces of personal information available at various public resources on the internet.

Then they create a new profile in the name of the user and use it as the basis for their activities including medical identity theft.

Stop sharing things like medical insurance

We know.

Times are tough.

And people need a social support network.


Sometimes you have no other choice but to help one of your family members and/or friends who are in trouble for one reason or another.

While helping them out you may allow them to receive some sort of treatment using your own medical information.

Now, we don’t really know where you live, but depending on the laws in your country sharing medical insurance may be considered as a crime.

Apart from that, it can potentially expose you to a host of future issues as the person that received treatment with your medical information may decide to abuse your past generosity.

In a recent Ponemon study, around 50 percent of all respondents said that the medical identity theft they became a victim of was perpetrated by a person that they knew from somewhere.

Start treating your medical information as if it is your social security number

We hope we do not need to convince you when we tell you that you need to start guarding your medical number along with your insurance number pretty much as closely as you guard your SSN or social security number.

All of such information is very important and very sensitive.

You should provide your medical number or insurance number to a given third-party only and only when you feel like it is absolutely necessary.

So what should you do if you lose your medical or insurance card?

Well, the first thing you should do is to notify your medical or insurance provider.

Do it immediately after you notice that your card is gone.

Moreover, while submitting your issue, also request for a new medical or insurance number.

Apart from that, it is also a good idea to file a complete police report in cases where you have lost your health insurance card or if someone stole it from you.

Make use of the best sounding passwords

This is a good time to give you one other device.

With so many password managers available in the market (some of them even free) you should have a unique password for each and every one of your online profiles and/or accounts whether or not they are related to healthcare/insurance or not.

Once you start doing that, it would prevent hackers and other cybercriminals from making use of your medical credentials and use other stuffing tactics.

You may already know that some of these tactics make use of the already known password and username combinations.

Most of the time, such information is leaked to the internet via data breaches.

You probably do not need us to tell you that once hackers get the right combination for a given account, they can have full access to it and can probably access your other accounts as well.


While, with free password managers available in the market, you do not need to create strong passwords on your anymore, if you do want to do that then make sure your password is long.

It should also have both lower-case and upper-case letters.

Also, make use of symbols and numbers.

Again, if you feel that you cannot do that and want to have someone or something assisting you in the process then go and get yourself a password manager as early as possible.

There are a lot of things you need in your toolkit to protect yourself from various cyber threats on the internet and a password manager is definitely one of them.

The importance of your credit report: Check it often

The problem with medical identity theft is that hackers can more often than not get away with all the sweet stuff before law enforcement agencies finally catch up to them.

Now, one really smart way to detect if something has really gone wrong with your personal information is to regularly check your credit card report.

If someone has done something untoward with your information then it should show up on your credit report.

More specifically, you may see some medical collection notices which you never made or don’t recognize.

People residing in the United States and are subject to the (link here) Fair Credit Reporting Act have the option of getting a free credit report not just from one but all three of the major US credit reporting bureaus.

They can do it for free once every year.

Moreover, if they want to then they can also receive a completely free report in situations where some negative action has taken place along the likes of their medical insurer denying them any medical coverage.

All that the person has to make sure that he/she requests the relevant report within 60 days of any adverse action.

Search for malicious and/or suspect correspondence

If you have received a heft-looking bill in your mail for a special service that you never received then you know something weird is going on.

Sometimes hackers and scammers will send you an email about a medical problem or issue that you never had or know nothing about.

At other times, your health insurance service will send you an email or a letter which would state that you have gone beyond your limit for a specific kind of procedure or benefit.

That also points towards the fact that someone has been messing with your medical record.

Then there are those times when your medical insurance service hits you with a denial of insurance email.

That usually happens when a thief wants to get some medical condition fixed which makes the person uninsurable.

If any of such dubious things happen to you then you should consider them as major red flags.

More specifically, you need to look into such problems as soon as you can.

Apart from that, we also think it is a good practice to spend some time reading about different data breaches that happen every now and then to keep privy of any signs that your data got hacked as well.

In fact, the HIPAA (Health Insurance Portability and Accountability Act) offer a data breach notification rule just for this purpose.

The data breach notification rule mandates that individuals who are affected by various data breaches of PHI or Protected Health Information, must receive a notification from covered entities.

Moreover, the rule also says that covering entities must make sure that they notify the HHS (or the United States Department of Health & Human Services) and in specific situations, the media as well.

With that said, such entities only have around 60 days after they have discovered that a data breach did happen to disclose the information.

Now the problem with the 60-day limit is that, hackers can get away with a lot of damage by the time the user gets to know that his/her information got leaked in a given data breach.

Keep updating on what’s happening with your insurance provider

If you happen to live in the United States of America, your insurance service provider should have no qualms about sending you a document labeled EOB or Explanation of Benefits.

This is a document which outlines all the claims that you or anyone might have made which are covered under your medical insurance plan.

Most of the time, your medical insurance provider will send you this after the service has processed a claim.

In a similar way, those people who are entitled to Medicare usually receive their own MSN or Medicare Summary Notice pretty much after each period of 3 months has elapsed.

Of course, if you have not received any medical supplies or services in the previous period of 3 months then you should not receive one.

Now, even though it is considered prudent to check MSN reports when they do arrive but we think you can take an extra step and check such reports periodically in order to make sure that you have not somehow missed an important entry.

This is where having an online account really help.

If you have one, all you need to do is to log in to your account and review all items on your recent activities page.

Now, if you cannot do that then you have the other option of calling up your health insurance provider and then confirming the items that were listed in your last couple of claims or more.

This isn’t to say that you will be completely safe from problems such as medical theft identity if you take these steps, but you will have a better chance of catching medical identity theft when it happens very quickly.

And as we have mentioned before, the sooner you find out about medical identity theft, the less time the hacker has to do damage.

Also, keep in mind that certain types of people and professions are more prone to getting victimized via medical identity theft.

If you are an old person, there is a good chance that a hacker would try to make you a victim of medical identity theft.

Moreover, hackers seem to think that older people are less likely to have suspicions about a given transfer or a website asking them for a certain kind of information.

Apart from that, hackers know that the older a person is the less is the chance that the person would make an effort to stay on top of his/her statements and receipts.

On that note, it is also true that cybercriminals also have a proclivity for targeting children.

They consider them as prime targets for the simple reason that their parents or guardians are less likely to check their credit reports.

If even they come about to check them, they wouldn’t do so on a regular basis.

Following that, we think it is a good idea to keep checking credit reports on behalf of older relatives and children.

Things to do when you have become a target of medical identity theft

If you have gone through the tips that we have mentioned above and suspect that you have actually become a victim of frauds such as medical identity theft, there are a lot of things you can do.

Let’s list them out.

  • File a new police report.
    We know that the chances of the perpetrator getting caught are minimum.
    But even knowing that, it is absolutely crucial that you file a police report.
    Why do we say that?
    We say that because once you manage to file a report, the police will give you a file report number.
    You can use that number in the future if you need proof that a medical identity theft case indeed occurred.
  • Go to your local fraud center and file a report there as well.
    Of course, this depends on where you live in the world.
    But if you live in a country with some semblance of law and order, it should have a center for general fraud.
    You should go there and then file a report.
    Allow us to give you some examples.
    Australia: Scamwatch
    Canada: Canadian Anti-Fraud Center
    UK: Action Fraud
    US: and/or FTC (Federal Trade Commission) Assistant
  • Notify the insurance company.
    Needless to say, if you suspect medical identity theft you need to inform the service that provides you insurance.
    Tell the service about the fraud and learn more about the specific protocol that the service has in place for such types of victim situations.
  • Access your medical records and make copies of them.
    The federal law in the US dictates that all US citizen can exercise their right to access their medical files and view their content.
    So contact any kind of medical service provider.
    You can contact a doctor or a pharmacy or even a hospital where you feel a hacker or thief could have abused your medical information.
    Moreover, you should also note that these copies of medical records do not come for free.
    Keep that in mind.
    The actual price that you might have to pay will depend on the insurance provider.
    Once you have access to them, you can check your reports and note down any errors that you might come across.
  • Get your accounting of disclosures document.
    If you live in America, the federal law in the country gives you the right to get a free copy of your account of disclosures document upon request.
    Do take note that medical service providers can only provide you one free copy.
    The accounting of disclosures document is essentially related to the requester’s medical records.
    It contains information about any kind of information that a given provider may have sent the user.
    Along with that, it also details when and why a provider sent you a piece of information and who did the provider actually sent the information to.
    Once you have this information, you should have a better idea of whether or not your medical records have errors in them.
  • If you find erroneous information you should ask for relevant corrections.
    Let’s assume that you now know where your medical records have got things wrong.
    You also know who has your erroneous medical record.
    The next step is to go to the medical service provider with the erroneous record and request the provider to make corrections.
    You might already know this but health providers in this country are required by law to make all the requested changes that a person may need.
    Of course, you will have to provide some supporting documentation if you want to get your requests approved.
    More specifically, you may have to explain that you have become a victim of medical identity theft.
    While doing that, there is no doubt that a police report would come in really handy.

We hope you are now more prepared than ever to not only keep safe from medical identity theft but also know how to fight it once you become a victim.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.