What is medical identity theft, and how can you protect yourself?

We often picture stolen cards and drained bank accounts when we think about identity theft. In health care, the risks can go further. If someone uses your medical identity to get treatment, fill prescriptions, or file insurance claims, the harm isn’t only financial.

False entries can land in your medical records and follow you into future appointments. That can lead to wrong medications, denied procedures, and benefits that are used up before you need them.

This guide explains what medical identity theft is, how it happens, the warning signs to look for, and the steps to correct both bills and records.

Please note: This information is for general educational purposes and not financial or legal advice.

What is medical identity theft?

Medical identity theft happens when someone uses another person’s health or insurance information to obtain medical services, prescription drugs, or to bill an insurer or public health system. The information can include identifiers like your full name, date of birth, national ID number, or insurance membership details. In some systems, government health numbers such as Social Security or Medicare numbers can also be misused.

What makes this form of identity theft unique is that it can alter your medical records as well as your bills. A false entry in your chart can follow you into future appointments, which is why consumer protection authorities treat it as a distinct category of fraud.

While specific rights vary by country, most healthcare and privacy frameworks recognize patients’ ability to access and request corrections to their records:

• In the United States, patients have rights under the Health Insurance Portability and Accountability Act (HIPAA) to access their medical records and request corrections.
• In the European Union, the General Data Protection Regulation (GDPR) gives individuals the right to access their health data and demand rectification of inaccuracies.
• In Canada, provincial health privacy laws such as Ontario’s Personal Health Information Protection Act (PHIPA) provide similar rights.

What happens if your medical information is stolen?

When your medical identity is misused, two kinds of harm usually follow.

The first is financial. You may receive bills for care you never had. Your insurer’s Explanation of Benefits (EOB), which is the statement showing what was billed, what the plan paid, and what you may owe, may list unfamiliar procedures. In some cases, you may even be told you have already reached an annual limit for a service you never used.

The second is clinical. False entries slip into your record: new diagnoses, allergies, or medications that don’t apply to you. These errors can shape how doctors treat you in the future. A wrong allergy could prevent you from receiving the right medication. An invented diagnosis could influence treatment decisions in an emergency.

Resolving these problems can also take months. Disputed claims often trigger long back-and-forth exchanges with insurers and providers. If unpaid balances are mistakenly sent to collections, your credit report can suffer lasting damage. Beyond the paperwork, victims frequently spend dozens of hours gathering records, contacting fraud units, and correcting entries across multiple offices.

Common examples of medical identity theft

Medical identity theft can take many forms. Here are the most frequent scenarios:

• Imposter visits: Someone uses your insurance card or details to get treatment at a clinic or hospital. The visit looks legitimate in the system, leaving behind a diagnosis and prescription in your record. Later, you may face denied claims because the plan thinks you already had the service.
• Equipment billing: Fraudsters bill your plan for medical equipment like braces, monitors, or mobility aids that you never received. These claims can quickly drain the benefits you expected to use for legitimate care.
• Prescription fraud: Criminals use your details to obtain controlled substances or other medications. Your pharmacy history then shows refills and prescriptions that were never yours.
• Insider misuse: Staff with access to billing systems or patient records submit false claims using real patient data. Because the claims come from inside the system, they can appear especially credible.

Learn more: Medical identity theft is just one form of fraud. For a broader overview, see the different types of identity theft.

How does medical identity theft happen?

Criminals use many entry points like data breaches, phishing, weak account security, stolen mail, and even insiders with billing access. Each route leads to the same outcome: a thief has enough personal information to impersonate a patient or to file claims that look routine.

Health data is especially attractive to criminals because it contains identifiers that don’t change. A stolen credit card can be canceled, but a date of birth or national health number remains valid for life. Medical records also tend to be complete packages, linking names, addresses, insurance details, and sometimes financial identifiers. That combination means a breach can enable multiple forms of fraud, not just false claims.

Methods used to steal medical identities

Criminals use a mix of digital scams and old-fashioned theft to capture sensitive health details and exploit them for fraud.

Data breaches

Breaches at hospitals, insurers, clearinghouses, and service vendors supply the raw material for fraud. Attackers extract names, dates of birth, member IDs, and sometimes national IDs (like Social Security numbers). With that information, a thief can open a portal account in your name, present at a clinic with a plausible story, or file claims without leaving a visible trace until the insurer’s systems reconcile year-end usage.

Phishing

Fake appointment reminders, lab result notices, or portal login alerts can direct victims to lookalike sites. If the attacker captures a login, they may be able to view claims, in some cases request new insurance cards, or update contact details to delay detection.

Mail and paperwork theft

Many health systems and insurers still send paper statements after visits or procedures. EOBs and claim summaries often include provider names, service dates, and billing amounts.

If these letters are stolen, or if someone fraudulently changes your mailing address, criminals can gain enough information to stage false claims. At the same time, the real patient may stop receiving notices, making the fraud harder to detect.

Real-world scenarios and case studies

Large incidents show how medical identity theft can spread far beyond one hospital or clinic.

In 2018, Singapore’s SingHealth system was hacked, and the records of 1.5 million patients were compromised, including those of the Prime Minister. The attack became one of Asia’s most significant healthcare breaches.

In the UK, a 2024 ransomware attack on Synnovis, a pathology provider serving multiple NHS trusts, led to significant service disruption. Threat actors later posted nearly 400GB of data that included patient identifiers and test details. Such attacks are part of a growing trend in cyber extortion, where criminals pressure organizations by stealing or encrypting sensitive data.

Also in 2024, the Change Healthcare ransomware attack brought much of the U.S. claims system to a halt. Pharmacies struggled to fill prescriptions, providers switched to manual billing, and insurers faced weeks of disruption. The U.S. Department of Health and Human Services’ Office for Civil Rights reports that approximately 192.7 million individuals were impacted. The case highlighted how a single clearinghouse can serve as a bottleneck for an entire industry.

In 2025, Episource (a vendor that helps insurers with risk adjustment) disclosed a breach that exposed information for more than 5.4 million people. Many of those patients had never heard of the company, yet their data was there through insurer partnerships. The incident underscored how little-known contractors can hold sensitive information on a massive scale.

Not every breach makes the news. Regulators routinely record smaller mishaps, like misdirected emails, stolen laptops, or local server break-ins. Many affect only a few hundred patients, but when a large vendor is involved, the impact can quickly climb into the millions.

What are the red flags of medical identity theft?

Red flags often show up first in your own paperwork and online portals. Strange procedures on an insurance statement, denials for services you never received, or medical records that don’t match your history all point to possible misuse.

Unfamiliar charges or procedures on medical bills

Review your Explanation of Benefits or equivalent statements closely. Red flags include provider names you don’t recognize, dates that clash with your schedule, or procedures and prescriptions you never received. Keep original statements and letters, as they provide the clearest timeline of what your insurer believes happened.

Denied insurance claims you didn’t file

If a claim is denied because the plan thinks you already had the service, or because a benefit limit was reached, but you never used it, that’s a major warning sign. Fraudulent use can consume your benefits before you need them.

Suspicious activity in your health records

Patient portals often list visit history, lab results, allergies, and prescriptions. Red flags include conditions you don’t have, medications you never took, or appointments at facilities you’ve never visited. Even small discrepancies matter because they can influence future treatment.

What to do if you are a victim of medical identity theft

Responding to medical identity theft means working on two tracks at the same time. First, stop further misuse by securing your insurance and financial accounts. Second, correct your medical record so that future care is based on accurate information. The order matters: gather records first so you have evidence, then submit disputes and corrections in writing. Keep everything in one folder or drive so you don’t lose track.

Please note: This guide is for educational purposes only and should not be considered financial or legal advice. If you believe you are a victim of medical identity theft, consider contacting qualified legal or financial professionals alongside the consumer protection resources listed here.

Immediate steps to take

Start by creating an official case. In the U.S., you can report identity theft online on the FTC site, which provides prefilled letters to use with insurers, providers, and debt collectors.

Next, contact your insurer’s fraud department to review recent claims, request an investigation, and place a fraud alert on your account.

At the same time, protect other areas where fraud may spread. Place a credit alert or freeze with the credit bureaus to block new accounts, and secure your online portals. Change passwords, enable multifactor authentication, and restore your correct contact details if anything was altered.

How to correct your medical records

Errors in your file can be more harmful than financial misuse because they affect treatment.

In the U.S., HIPAA gives you rights to both access and amend records. Under 45 CFR 164.524, you can request copies of medical and billing records; under 45 CFR 164.526, you can request amendments when entries are inaccurate or incomplete.

Providers must act within set timelines (typically up to 60 days), and if a request is denied, you may submit a brief statement of disagreement.

Compare the records line by line against your own history. Mark incorrect entries and attach proof, such as receipts or appointment confirmations. Submit your request in writing to the provider’s records office.

If corrections are made, ask that they be sent to everyone who received the wrong data. If denied, you can add a short statement of disagreement so your version is attached to the file. Once corrected, notify your insurer so fraudulent claims can be removed and benefits restored.

Similar rights exist elsewhere: GDPR’s Articles 15 and 16 in the EU guarantee access and rectification, while Ontario’s PHIPA gives patients the right to access their health records (sections 51–54) and to request corrections (section 55). Many other countries assign this responsibility to health regulators or data protection bodies.

How to report medical identity theft to authorities

Formal reporting of identity theft ensures your case is logged and gives you a reference number for follow-up. In the U.S., victims are encouraged to file a police report and use IdentityTheft.gov as the primary starting point.

Suspected Medicare fraud can be reported by calling 1-800-MEDICARE or through the OIG’s online fraud reporting form. Complaints about health information privacy rights violations fall under the HHS Office for Civil Rights, which enforces HIPAA privacy protections.

Outside the U.S., medical identity theft is usually reported to local law enforcement and national consumer protection agencies.

Who to contact for help

Reporting the fraud usually isn’t enough on its own. Victims often need someone to help interpret notices, track paperwork, and push disputes forward.

In the U.S., Senior Medicare Patrol (SMP) programs assist Medicare beneficiaries by reviewing statements, flagging suspicious charges, and pointing them to the right reporting channels. Some hospitals also have patient advocates who can help with record corrections and billing disputes, though availability varies by facility.

For broader cases, the Identity Theft Resource Center (ITRC) runs a free hotline and provides step-by-step remediation plans.

Outside the U.S., the role is usually filled by consumer protection agencies, patient advocacy groups, or national data protection authorities, depending on the country. They can help with form-filling, appeals, and escalation, but the structure differs from region to region.

If the fraud extends beyond medical records, you’ll find broader recovery steps in our guide on what to do if your identity is stolen.

How to prevent medical identity theft

Identity theft prevention is about reducing opportunities for misuse and shortening the time to detection when something slips through. Three habits anchor this approach. Control what leaves your hands. Harden the accounts you already use. Check high-signal sources on a schedule so you catch issues early. Theft, medical or otherwise, usually can’t be eliminated entirely, but strong habits make it far easier to catch early and contain the damage.

Protecting your health insurance and ID cards

• Treat your insurance card like a payment card. Don’t share images, and don’t carry extra copies. If a form asks for your Social Security number, ask if another identifier will work.
• Shred old explanations of benefits, pharmacy labels, and appointment stickers so they do not end up in a bin that anyone can search. Opt in to electronic EOBs to reduce the chance of mailbox theft and to see activity sooner.
• For families, set a routine. Review EOBs and portals for children once a month. Their records can be misused longer because nobody expects much activity in those accounts.

Monitoring medical records and credit reports

• Log into your patient and insurer portals every month. Scan visit histories, medication lists, and claims. Save EOBs in one place so patterns are easier to spot.
• If you see signs of broader identity misuse, place a credit freeze. It doesn’t fix medical records, but it blocks new financial accounts that often appear at the same time. Use a monitoring tool to catch exposures quickly. ExpressVPN Identity Defender scans for leaked personal details in breaches and alerts you if your information shows up, helping you act before misuse spreads.
• To track your financial identity specifically, U.S. users can turn on Credit Scanner in the ExpressVPN app. It provides your Experian credit score and flags unusual credit activity, giving you early warning of potential fraud.
• Vendor breaches often expose data even when your hospital or insurer’s own systems were never directly affected, so notices from third parties should always be taken seriously.

Learn more: If you want to understand patterns that blend real and fabricated details to create new identities, see our explainer on synthetic identity theft. Also, check out what to do next if your SSN is found on the dark web.

Using secure networks and VPNs for health data

A virtual private network (VPN) encrypts your internet connection so people on the same network can’t read your traffic. When you sign into patient portals on public Wi-Fi (for example, in a hospital) or join a telehealth session away from home, a VPN reduces the chance that someone can intercept your credentials. It can’t stop a breach inside a hospital or clearinghouse, but it lowers risk whenever your data travels over networks you don’t control.

Other than using a VPN, the following habits can help detect problems sooner and improve your overall privacy:

• Turn on multi-factor authentication for provider, pharmacy, and insurer logins.
• Create long, unique passwords and store them in a secure manager. ExpressVPN Keys can generate and remember strong credentials for your health portals, pharmacy accounts, and insurer logins, so you don’t have to.
• Keep your phone and browser updated so known flaws are patched quickly.
• Avoid logging in through links in texts or emails; type the address or use a saved bookmark.

These steps close off the easiest paths criminals use to capture credentials. For remote care, see our explainer on the rise of telehealth and what it means for patient privacy.