Detecting Medical Identity Theft

Medical Identity Theft

Medical Identity Theft

Paying close attention to your medical, insurance and financial records can help you spot discrepancies and possible fraud.

  • Read the Explanation of Benefits (EOB) statement that your health plan sends you after treatment. Make sure the claims paid match the care you received. Look for the name of the provider, the date of service, and the service provided. If there’s a discrepancy, contact your health plan to report the problem.
  • Order a copy of your credit reports,and review them carefully. Credit reports are full of information about you, including what accounts you have and whether you pay your bills in a timely way. The law requires each of three major nationwide credit reporting companies – Equifax, Experian and TransUnion – to give you a free copy of your credit report each year if you ask for it. Visit or call 1-877-322-8228 to order your free credit reports each year, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You can download the form at Once you have your reports, look for inquiries from companies you didn’t contact, accounts you didn’t open, and debts on your accounts that you can’t explain. Check that your Social Security number, your address(es), name or initials, and your employers are listed correctly. If you find inaccurate or fraudulent information, get it fixed or removed.
  • Ask for a copy of your medical records
    If you believe you’ve already been a victim of medical identity theft, review your medical and health insurance records regularly. The thief may have used your name to see a doctor, get prescription drugs with your health ID number, file claims with your insurance provider, or done other things that leave a trail in your medical records. Try to review your health records for inaccuracies before you seek additional medical care. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives you the right to copies of your records that are maintained by health plans and medical providers covered by that law. Health care providers and health plans generally are required to give you your files within 30 days after you ask for them. Unlike credit reports, there is no central source for your medical records. You need to contact each provider you do business with – including doctors, clinics, hospitals, pharmacies, laboratories and health plans – that is relevant to your experience. For example, if a thief got a prescription in your name, you may want the record from the pharmacy that filled the prescription and the health care provider who wrote the prescription. Or if you’ve been using the same hospital for 20 years and you think that the identity theft is recent, you may want to limit your request to records of the last few years or months.It’s likely that you have to complete a form and pay a fee to get a copy of your records. Keep track of your communications with your health plan and providers, including copies of postal and email correspondence, and a log of your phone calls, conversations and activities. Be patient: Health plans and providers, particularly small ones, may not have handled a claim of medical identity theft before, and may not be sure how to respond.In most instances, a provider who denies you access to your records must give you the reason in writing. Some providers may refuse to give you copies of your medical or billing records for fear that they’re violating the identity thief’s HIPAA privacy rights. These providers are mistaken: You have the right to know what’s in your file. If your request is denied, you have the right to appeal. Contact the person identified in the provider’s Notice of Privacy Practices or the patient representative or ombudsman, explain the situation and request your file. If a provider still refuses to give you access to your records within 30 days of your written request, file a complaint with the U.S. Department of Health and Human Services’ Office

You also should get a copy of the accounting of disclosures for your medical record from your health plan and providers. It will help you follow the trail of your information and identify who has incorrect information about you. The law allows you to order one free copy of the accounting from each of your providers every 12 months. The accounting is a record of:

  • * the date of the disclosure;
  • * the name of the person or entity who received the information;
  • * a brief description of the information disclosed;
  • * a brief statement of the purpose of the disclosure or a copy of the request for it.

Certain disclosures that occur often or as a matter of routine – like each time a doctor’s office sends treatment information to another health care provider, or sends payment information to an insurer for reimbursement – may not be included in the accounting.

Bouncing Back from Medical Identity Theft
If you are a victim of medical identity theft, here are several steps to take immediately. Keep detailed records of your conversations and copies of your correspondence.

  1. File a complaint with the Federal Trade Commission or by phone at 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261.
  2. and send copies of the report to your health plan’s fraud department, your health care provider(s), and the three nationwide credit reporting companies. Information on how to file a police report is at
  3. Exercise your right under HIPAA to correct errors in your medical and billing records. Write to your health plan or provider detailing the information that seems inaccurate. Include copies (keep the originals) of any document that supports your position. In addition to providing your complete name and address, your letter should identify each item in your record that you dispute, state the facts and your reasons for disputing the information, and request that each error be corrected or deleted. You may want to enclose a copy of your medical record with the items in question circled. Send your letter by certified mail, and ask for a “return receipt,” so you can document what the plan or provider received. Keep copies of your dispute letter and enclosures.

Generally, your health plan or medical provider must respond: The creator of the information is obligated to amend the inaccurate or incomplete information. It also should notify other parties, like labs or other health care providers, that may have received incorrect information. If an investigation doesn’t resolve your dispute with your plan or provider, you can ask that a statement of the dispute be included in your record.

Other Steps to Consider
Fraud alert can help prevent an identity thief from opening additional accounts in your name. Contact the toll-free fraud number of any one of the three nationwide credit reporting companies to place a fraud alert on your credit report. Contact only one of the three companies to place an alert. The one you call is required to contact the others that, in turn, place an alert on their versions of your report, too.

Credit freeze is a warning sign to businesses or others who may use your credit file. It locks down your credit file and blocks access by potential creditors. In short, it makes it less likely that an identity thief can open new accounts. Most states have laws that allow consumers to place a credit freeze with credit reporting companies. In many of these states, any consumer can freeze their credit file; in others, only identity theft victims can freeze their files.

Placing a credit freeze does not affect your credit score, keep you from getting your free annual credit report, or keep you from buying your credit report or score. It doesn’t prevent you from opening a new account, applying for a job, renting an apartment, or buying insurance, either. In these situations, the business usually needs to review your credit report. You can ask the credit reporting company to lift your credit freeze temporarily, or remove it altogether.

There are two key differences between security freezes and fraud alerts:

  • The credit reporting companies are not required to share a request for a security freeze as they are with a fraud alert. If you want to freeze all your credit files completely, you have to contact each company with your request.
  • The credit reporting companies may charge you a fee to place a freeze or to lift it. The fees and lead times to freeze or “thaw” your credit file vary among states, so it’s wise to check with your state authorities or with a credit reporting company in advance if possible. In many states, security freezes are free for identity theft victims; in others, consumers must pay a fee – typically $10. It’s also important to know that each credit reporting company charges a fee for this. If you have a valid police or other investigative report about the theft, you usually can place or lift a freeze for free.If you believe you are a victim of medical identity theft and are concerned that your identity could be compromised further – say, by credit accounts being opened in your name – you may want to consider a freeze as an additional layer of protection.

For more information please visit: Federal Trade Commission