Protecting your medical identity against theft

Medical ID Theft Checklist

folded paper icon


When someone uses your personally identifiable information (PII) to visit a doctor, purchase prescription medication, buy a medical device, submit a claim using your medical insurance, or receive another form of medical care, they are committing medical identity theft.

The misuse of your PII can do more than generate costly false claims. If the thief’s health information becomes mixed with yours, it can introduce inaccuracies into your medical records that could lead to misdiagnosis or mistreatment — both of which can result in serious health consequences.

The Federal Trade Commission notes that medical identity theft can impact the care you receive, the health insurance benefits you can use and hurt your credit.

Signs You Might Be a Victim of Medical Identity Theft

If your data has been compromised and used for medical identity theft, you might see one or more of the following indicators:

  • A bill for medical care, services, or equipment you didn’t receive
  • A call from a collection agency about a medical bill you don’t owe
  • Past due or collection accounts on your credit report that you don’t recognize
  • A letter from your health plan saying that you reached or exceeded your benefit limit
  • A denial of insurance because your medical records show a condition you don’t have
  • Suspicious charges on a bill that indicate you have been charged twice for the same service or billed by a doctor or hospital you’ve never visited or for a procedure you haven’t undergone

What to Do If You Are a Victim of Medical Identity Theft

Here are seven steps you can take to mitigate the potential fallout.

Get a copy of your medical records from your health insurance company Report any discrepancies to your insurance provider and work together to resolve the problem. If you suspect you’re the victim of medical identity theft, you’ll want to cancel your health insurance ID number and have a new one assigned to you. If the policy is through your employer, alert Human Resources or the person who handles health insurance coverage at your company. While this process sounds a lot like credit card fraud, unfortunately there are no similar liability limits for healthcare coverage.
Contact each healthcare provider–including doctors, clinics, hospitals, pharmacies, and laboratories–and ask for copies of your medical records

The FTC offers a checklist of steps that victims of medical identity theft should take, starting with informing yourself of your state’s health privacy laws that can make it easier to get copies of your medical records.*

You might also want to check your records from the MIB (Medical Insurance Bureau) for suspicious activity. Just like for your credit reports, consumers are legally entitled to annual access to their records with the MIB. You can request your MIB consumer file at

*FTC Checklist, “How to Correct Errors in Your Medical Records.”

Check your Medicare Summary Notices and Explanation of Benefits (EOB) statement that your health plan sends after treatment

Check the name of the provider, the date of service, and the service provided. Do the claims paid match the care you received? If you see a mistake, contact your health insurance and healthcare provider immediately to report the problem. Carefully review the Explanation of Benefits that you get from your health insurer to make sure that all charges were incurred by you. If you see charges for treatments that you never received, immediately notify your health insurance company and medical providers.

Correcting records can be hard. In general, federal law lets patients correct medical records created only by the medical provider or insurer that now maintains your information. A hospital or insurer that later receives your information doesn’t have to correct its records — even when they’re wrong. But you do have the right to have your records state that you disagree with the information and why. Be sure your complaint is entered into your records and request copies for your records.

Check your credit reports Review your credit reports with the three major credit bureaus to see if there are any delinquent medical bills in your name that you don’t recognize. Be sure to ask each of your medical and health insurance providers for a copy of the “accounting of disclosures.” This is a record of who got copies of your medical records. The HIPAA Privacy Rule gives people the right to request copies of their records maintained by covered health plans and medical providers. The accounting includes details about what medical information the provider sent, when it sent the information, who got the information, and why the information was sent. The accounting should show who has received copies of your records that include errors and who you need to contact. It may not have details about some routine disclosure of your information, like those from your doctor’s office to another doctor’s office, or disclosure of payment information to an insurer.
Ask for corrections if you find errors Contact your health insurer and medical provider to alert them to the inaccuracies and begin the dispute process. Detail what information is incorrect. Send copies of the documents that support your position and be sure to include a copy of your medical record and circle the disputed items. Ask the provider to correct or delete each error. Keep the original documents. Send your letter by certified mail and ask for a return receipt so you have a record of what the plan or provider received. Keep copies of your letters. The health plan or medical provider that made the mistakes in your files must change the information. It should also inform labs, other healthcare providers, and anyone else that might have gotten the wrong information. If a health plan or medical provider won’t make the changes you request, ask it to include a statement of your dispute in your medical records.
File a police report or Identity Theft Report and send it to your health insurance company, medical providers, and all credit bureaus Filing a police report will notify law enforcement that a crime may have been committed. Also, file an Identity Theft Report with the Federal Trade Commission (FTC). While the FTC cannot resolve individual complaints, the report can help it and its partners in law enforcement find patterns of fraud and abuse that inform and resolve investigations.
Consider placing a fraud alert or security freeze on your credit files Take greater control over who can access your credit. Placing a fraud alert and credit freeze on your credit reports if you think a scammer is using your PII. A fraud alert means the bank or other creditor will contact you to confirm your identity when anyone applies for credit in your name. A credit freeze means lenders are blocked from accessing your credit report. Both make it more difficult for someone to gain credit using your information.
What You Need to Know:

The credit scores provided are based on the VantageScore® 3.0 model. Lenders use a variety of credit scores and are likely to use a credit score different from VantageScore® 3.0 to assess your creditworthiness.