Medical Identity Theft: Risks, Detection, and Recovery

Medical identity theft occurs when a person's identifying information — name, Social Security number, insurance ID, or Medicare/Medicaid number — is used without authorization to obtain healthcare services, prescription drugs, or medical equipment, or to submit fraudulent billing claims. The consequences extend beyond financial loss to include corrupted medical records that can directly affect patient safety and care outcomes. Federal enforcement involves the Department of Health and Human Services Office of Inspector General (HHS-OIG), the Federal Trade Commission (FTC), and the Centers for Medicare & Medicaid Services (CMS). This page maps the structure of the medical identity theft sector, its mechanics, detection indicators, and the recovery process as defined by federal and state regulatory frameworks.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps (Non-Advisory)
• Reference Table or Matrix
• References

Definition and Scope

Medical identity theft is formally defined by the FTC as a form of identity theft in which stolen personal information is used to obtain medical care, prescription drugs, or to submit fraudulent insurance or government healthcare program claims. The World Privacy Forum, a named public research organization, identified medical identity theft as a distinct category from financial identity theft in its 2006 report, noting that the harm is uniquely compounded because falsified entries become embedded in the victim's permanent medical record.

The scope of the problem intersects two federal programs with significant fraud exposure. CMS reported that Medicare and Medicaid improper payments — a category that includes fraud-driven billing — exceeded $100 billion in fiscal year 2022 (CMS Improper Payments Report, FY2022). Not all improper payments constitute identity theft, but the OIG identifies fraudulent use of beneficiary credentials as a persistent subcategory.

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to provide patients access to their medical records, which is the primary legal mechanism through which victims can identify and dispute fraudulent entries. The HIPAA Privacy Rule, codified at 45 CFR Part 164, obligates covered entities to respond to record access requests within 30 days.

The identity theft providers on this authority site include service providers who specialize in medical record correction and healthcare fraud remediation, operating alongside general identity restoration services.

Core Mechanics or Structure

Medical identity theft operates through three distinct structural pathways:

Fraudulent Service Acquisition: An individual uses stolen credentials — typically a health insurance card, Medicare number, or Social Security number paired with a date of birth — to receive medical treatment, surgical procedures, or prescription drugs. The services are billed to the victim's insurer or to CMS programs.

Fraudulent Billing by Providers: In some schemes, the perpetrator is a healthcare provider or billing entity. Patient data obtained through data breaches or internal theft is used to bill for procedures never rendered. HHS-OIG targets this category through its exclusion database and the Healthcare Fraud Prevention Partnership.

Prescription Drug Fraud: Controlled substance prescriptions are obtained using a victim's identity, either through a compromised prescriber relationship or a falsified patient identity. This pathway intersects with Drug Enforcement Administration (DEA) jurisdiction and state prescription drug monitoring programs (PDMPs).

In each pathway, the data compromise that initiates the fraud can originate from a healthcare data breach, insider theft from a provider or insurer, social engineering of administrative staff, or purchase of credentials on criminal marketplaces. The Office for Civil Rights (OCR) at HHS tracks healthcare data breaches under the HITECH Act breach notification rule; breaches affecting 500 or more individuals are posted to the HHS Breach Portal.

Causal Relationships or Drivers

The elevated risk profile of medical identity theft relative to other identity theft types is driven by several structural factors within the healthcare sector:

High data concentration: A single electronic health record (EHR) contains demographic, insurance, financial, and clinical data — a combination that is more commercially valuable on criminal markets than credit card data alone. The Ponemon Institute's 2020 Cost of a Data Breach study cited in IBM's published research has consistently shown healthcare as the highest-cost sector for breach remediation for over a decade, with healthcare breach costs reaching $10.93 million per incident on average in 2023.

Delayed victim detection: Unlike credit fraud, where unauthorized charges trigger rapid alerts, fraudulent medical billing may not surface until a victim reviews an Explanation of Benefits (EOB), receives a collection notice, or applies for insurance. The FTC has documented detection delays of 12 months or more in medical identity cases.

Regulatory complexity: HIPAA's segmentation of access rights between patients and their insurers creates gaps. A victim seeking to correct a fraudulent record at a provider they never visited may face barriers because the provider has no prior treatment relationship with them.

Third-party exposure: Covered entities routinely share data with business associates under HIPAA Business Associate Agreements (BAAs). The 2013 Omnibus Rule extended HIPAA obligations to business associates, but enforcement gaps remain documented in OIG audit reports.

The provider network purpose and scope page outlines how service categories in this domain are classified, including providers who operate at the intersection of HIPAA compliance and identity restoration.

Classification Boundaries

Medical identity theft is classified along two primary axes: perpetrator relationship and harm type.

By perpetrator relationship:
- External criminal actor — theft of credentials through breach, social engineering, or dark web purchase
- Internal actor — employee of a healthcare entity misusing patient data
- Provider-initiated fraud — a licensed or unlicensed provider billing under real patient identities

By harm type:
- Financial harm — fraudulent charges billed to insurance, unpaid balances sent to collections
- Medical record corruption — fictitious diagnoses, medications, or procedures entered in the victim's chart
- Insurance consequence — policy cancellation, rate increases, or claim denials based on fraudulent prior history

HIPAA does not separately codify "medical identity theft" as a distinct violation category; the governing framework treats it primarily as an unauthorized disclosure (Privacy Rule) or breach (Breach Notification Rule) on the provider/insurer side, and as a fraud matter under 18 U.S.C. § 1347 (healthcare fraud statute) on the criminal side.

Tradeoffs and Tensions

Record access vs. fraud investigation: When a victim requests their complete medical record to identify fraudulent entries, the covered entity may delay or restrict access if law enforcement has requested a hold pending investigation. HIPAA permits this suspension under 45 CFR § 164.524(a)(2), creating a direct conflict between victim rights and investigative process.

Correction rights vs. provider autonomy: Patients have the right to request amendments to medical records under HIPAA, but providers retain the right to deny amendment requests if the record is accurate from the provider's perspective. In medical identity theft cases, the "accurate" entries from the fraudulent provider's file conflict with the victim's actual history — a dispute that may require formal arbitration or legal intervention.

Data sharing for care coordination vs. fraud propagation: Interoperability initiatives promoted by the 21st Century Cures Act (Public Law 114-255) require health systems to share data broadly to improve care. The same interoperability infrastructure can propagate corrupted records across multiple systems, expanding the scope of correction required after medical identity theft.

Common Misconceptions

Misconception: Medicare and Medicaid numbers are not sensitive because they are widely used for billing.
Correction: CMS replaced Social Security-based Medicare Beneficiary Identifiers (MBIs) with randomized alphanumeric identifiers beginning in 2018 precisely because SSN-derived numbers were being exploited. The new MBI format does not encode personal information, reducing but not eliminating fraud risk.

Misconception: A victim can simply dispute fraudulent medical records the same way they dispute a credit report entry.
Correction: Medical records are governed by HIPAA, not the Fair Credit Reporting Act (FCRA). The dispute and correction process operates through covered entity amendment requests and, where applicable, state medical records statutes — not through the three major consumer reporting agencies.

Misconception: Health insurers automatically notify victims when fraudulent claims are filed.
Correction: Insurers are required to send Explanation of Benefits statements, but these are often overlooked or sent to outdated addresses. There is no federal statute mandating real-time fraud alerts to beneficiaries in the manner that the FTC's Red Flags Rule requires for financial institutions.

Misconception: Medical identity theft only harms the victim financially.
Correction: The OIG and patient safety organizations including the Alliance of Professional Health Advocates have documented cases where corrupted blood type, allergy, or medication records created direct patient safety risks during subsequent care.

Checklist or Steps (Non-Advisory)

The following sequence represents the standard procedural pathway documented by the FTC and HHS-OIG for addressing confirmed or suspected medical identity theft:

1. Request Explanation of Benefits statements from all health insurers, including Medicare/Medicaid, covering the prior 24 months. This establishes a baseline of claims filed under the victim's credentials.

2. Request a complete medical record disclosure accounting from each covered entity under HIPAA 45 CFR § 164.528. This accounting lists all disclosures of the patient's records, which may identify unknown recipients.

3. File a fraud report with the FTC at IdentityTheft.gov, which generates an Identity Theft Report usable in subsequent disputes.

4. Report Medicare or Medicaid fraud to the HHS-OIG Hotline at 1-800-HHS-TIPS or through the OIG online reporting portal.

5. Submit a HIPAA amendment request to each covered entity where fraudulent records exist, attaching the FTC Identity Theft Report as supporting documentation.

6. Place a fraud alert or security freeze with Equifax, Experian, and TransUnion under FCRA rights, addressing the financial identity component.

7. Notify the state insurance commissioner in the state where the fraudulent insurance claim was filed. State insurance fraud bureaus maintain independent investigation authority.

8. Request a new Medicare Beneficiary Identifier (MBI) from CMS if the existing number is confirmed compromised, following CMS guidance on MBI replacement.

The how to use this identity theft resource page maps which service categories verified in this network correspond to each phase of this process.

Reference Table or Matrix