The Justice Department’s recent healthcare fraud takedown highlights the growing issue of medical identity theft, which poses significant challenges for victims seeking to correct their medical records.
The Justice Department (DOJ) has charged 455 individuals in its annual National Health Care Fraud Takedown, a significant operation that addresses over $6.5 billion in alleged fraudulent claims. This year saw increased participation from state Medicaid units, with 90 of the accused being doctors or licensed medical professionals. While the DOJ has made these charges, prosecutors must still prove their cases in court.
Many of the fraudulent schemes involved the use of stolen medical identities. In response, prosecutors have added aggravated identity theft charges in cases spanning dozens of states. One notable case involved the co-owner of a Virginia mental health company who allegedly paid homeless individuals with hotel stays. Prosecutors claim the company used their Medicaid numbers to bill for crisis services that were never provided.
For victims whose identities have been misused, the closure of a case file does not necessarily mean the end of their troubles. Correcting corrupted medical records can be a daunting task. When someone else’s treatment records are mixed with your own, it can lead to incorrect information appearing in your medical chart. This can also deplete insurance benefits that victims may need in the future, making it far more complicated to resolve than simply canceling a credit card.
Medical identity theft occurs when an individual’s name, Social Security number (SSN), health insurance account number, or Medicare number is used by someone else to obtain medical services, fill prescriptions, or submit claims, according to the Federal Trade Commission (FTC). When care is billed under a victim’s name, the perpetrator’s health information can become intertwined with theirs. The FTC warns that such mixed records can adversely affect the quality of care a victim receives and the benefits they can access. Critical information such as blood type, drug allergies, diagnoses, or prescriptions belonging to a stranger could be included in a physician’s file before treatment.
Hospitals and insurers maintain the records that facilitate this type of fraud, and these records are frequently targeted. While not every healthcare breach results in fraud, it underscores the importance of safeguarding personal information. The value of insurance numbers, Medicare numbers, SSNs, and medical records can persist long after a breach notification is issued.
This past spring, NYC Health + Hospitals reported a data breach in which an intruder accessed files that may have contained health insurance information, medical details, biometric data, billing information, and other personal data. The breach affected approximately 1.8 million current and former patients and employees.
Once a name, SSN, insurance number, Medicare number, or medical record is sold on the criminal marketplace, it can be resold to individuals who bill under someone else’s identity. The FTC advises that health insurance and Medicare numbers should be protected with the same vigilance as payment cards.
Fraudulent medical claims can bypass the usual alerts that accompany credit checks, making it essential for individuals to remain vigilant. The FTC recommends that if a bill, explanation of benefits (EOB), or Medicare notice indicates care that was never received, victims should act quickly and maintain written records of all communications. They should contact their insurer or Medicare using the number on their card, not one from an unsolicited text, email, or voicemail.
Victims should request the provider’s name, date of service, claim number, and service details in writing, and also contact the provider to obtain the medical or billing records associated with the claim. Reporting the error to the insurer’s fraud department is crucial, as is filing a report at IdentityTheft.gov, which provides a recovery plan and necessary documentation for any fraudulent bills or collections that may arise later.
It is also important to keep copies of every bill, EOB, letter, portal message, police report, and case number. Victims should request records from every provider, clinic, pharmacy, lab, and insurer that the thief may have exploited, and report each error in writing. Under the Health Insurance Portability and Accountability Act (HIPAA), a provider generally has 30 days to grant access to records after a written request, with a possible 30-day extension.
However, correcting the records themselves can take longer. The Department of Health and Human Services (HHS) states that a covered provider or health plan typically has up to 60 days to respond to a request to amend a medical record, with a possible 30-day extension in certain circumstances. If the provider or plan created the erroneous information, they are obligated to amend any inaccurate or incomplete data.
There is a caveat, though: a provider may refuse to release records that contain a stranger’s information, citing privacy concerns. In such cases, victims should ask for the provider’s privacy officer or patient advocate. If access to records is denied or an explanation is not provided within the required timeframe, individuals can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.
While a credit freeze can prevent new accounts from being opened, it does not address claims filed using a victim’s insurance number. Because medical identity theft can occur without impacting credit files, monitoring where personal information appears is a proactive way to address potential issues. Identity theft protection services can monitor the dark web, data broker sites, and people-search sites for exposed SSNs, driver’s license numbers, medical ID numbers, and email addresses. They can also track all three credit bureaus for medical collections and flag public-record changes associated with an individual’s name.
If misuse occurs, some services offer fraud resolution support to assist victims in requesting records, disputing fraudulent claims, and working with providers, insurers, and credit bureaus. Certain plans may also include identity theft insurance to cover eligible recovery costs. While no service can prevent every instance of medical identity theft, ongoing monitoring can help identify exposed information before fraudulent treatments affect a victim’s records and insurance.
Medical identity theft often strikes in an area that many individuals overlook: their health records. Unlike a stolen credit card, which can typically be canceled quickly, a stolen Medicare or insurance number can lead to fraudulent claims, incorrect diagnoses, and complications that persist long after the fraud case is resolved. It is crucial for individuals to regularly check their EOBs, Medicare Summary Notices, and insurer portals for any visits, prescriptions, or equipment they did not receive. Additionally, treating insurance cards with the same caution as payment cards is essential. Individuals should refrain from sharing their insurance number with anyone who contacts them unexpectedly with offers.
The most important step is to act swiftly. Victims should call their insurer or Medicare, request claim details, and formally request their medical records in writing. Filing a report at IdentityTheft.gov is also vital to ensure they have the necessary documentation in case of future fraudulent bills or collections.
Have you ever encountered a medical bill, insurance claim, or EOB for care you did not receive? Share your experiences with us at CyberGuy.com.
According to Fox News, the rise in medical identity theft underscores the importance of vigilance in protecting personal information.

