Health Care Data Breach: What to Know About Them and What to Do After One

Confident black female doctor looking at a screen of medical data.

Experian, TransUnion and Equifax now offer all U.S. consumers free weekly credit reports through AnnualCreditReport.com.

Having your records stolen in a health care data breach can be a prescription for financial disaster. If scam artists break into health care networks and grab your medical information, they can impersonate you to get medical services, use your data to open credit accounts, break into your bank accounts, obtain drugs illegally, and even blackmail you with sensitive personal details.

ID theft victims often have to spend money to fix problems related to having their data stolen, which averages $600 according to the FTC. But security research firm Ponemon Institute found that health care identity theft victims spend nearly $13,500 dealing with their hassles, which can include the cost of paying off fraudulent medical bills.

Victims of health care data breaches may also find themselves being denied care, coverage or reimbursement by their medical insurers, having their policies canceled or having to pay to reinstate their insurance, along with suffering damage to their credit ratings and scores. In the worst cases, they've been threatened with losing custody of their children, been charged with drug trafficking, found it hard to get hired for a job, or even been fired by their employers.

What Is a Health Care Data Breach?

Health care data breaches occur when hackers infiltrate the computer network of a doctor's office, clinic, hospital, medical lab, insurer or other medical provider. In many cases, medical information is stolen by medical workers or accidentally exposed through lax office procedures and security.

Medical data is a big target for fraudsters because it's often much more valuable than other commonly available personal data. While a stolen credit card number might be sold for just a few cents, medical files can be worth as much as $1,000 each, according to Mariya Yao, Chief Technology Officer and Head of Research & Design at TOPBOTS, an artificial intelligence research firm.

The number of thefts of patient medical data hit a new high last year—averaging more than one data breach per day—and it's not slowing down much in 2018, according to the health care privacy firm Protenus. While 2017 saw a total of 477 incidents in which medical records were stolen, more than 110 breaches have already been reported during the first quarter of 2018, involving more than 1.1 million patient records.

What Information Can Be Stolen in a Health Care Data Breach?

Hackers are looking for information that can be used to impersonate you and get medical treatment or drugs on your account or covered by your medical insurance. They're looking for:

  • Your Medicare or insurance policy numbers
  • Your identifying information, including Social Security number, birth date and other specifics to impersonate you or guess at passwords
  • Your medical history of treatments and prescriptions, as well as your family's
  • Your billing and payment information, including checking and credit card accounts

In the event that the thieves can't use your information for medical purposes, they can still sometimes use your personal information to put bogus charges on your credit cards, raid bank accounts or open new credit lines in your name.

Signs that You're the Victim of Medical Identity Theft

Your first clue that your medical data may have been hacked might come in a statement, bill or notice from your insurer, your doctor or another medical provider, warns the Federal Trade Commission.

According to the commission you should be on the lookout for:

  • A bill or statement of benefits showing medical services you didn't receive
  • A call from a debt collector about a medical debt you don't owe
  • One or more medical collection notices on your credit report that you don't recognize
  • A notice from your health plan or insurer saying you reached your benefit limit
  • A denial of insurance because your medical records show a condition you don't have

You also should keep an eye out for any unauthorized withdrawals or changes to your medical, insurance or financial accounts, notices of changes to your accounts, declined credit card charges, bounced checks and unexpected emails, notices or other inquiries about your accounts. In addition, notices of password changes or being locked out of your accounts can be signs that someone has logged on in your place.

Finally, don't simply toss away a bill you don't recognize for a procedure you didn't have or from an unfamiliar doctor or medical provider, even if it's for someone under another name. Rather than being a mistake, it could be a sign that medical treatment is being obtained on your account by someone who's gotten a hold of your private information. Parents also should keep an eye out for any statements or activities relating to children or other family members who are carried on your insurance or who share the same medical providers.

What to do If You're Part of a Health Care Data Breach

In addition to keeping a watchful eye on medical notices and activity on your accounts, safeguard yourself in all the other usual areas of potential identity theft, such as attempts to access your bank and credit card accounts, opening new credit accounts in your name or to steal your tax refunds.

You can check your credit reports from each of the three major credit bureaus every 12 months at annualcreditreport.com or get a free copy of your Experian credit report here on Experian.com. You also have the right to place fraud alerts or credit freezes on your accounts to prevent or warn you if anyone tries to open accounts in your name.

You also should pay attention to activity on your medical financial accounts, such as a Health care Savings Account (HSA) or a Flexible Spending Account (FSA), where a hacker could withdraw money once they grab your personal information.

How to Get Things Back on Track After a Health Care Breach

If you do get the sinking realization that your medical information has been stolen, here are three steps you can take to protect yourself and minimize the damage.

1. Gather Documents and File Reports

2. Collect Current Copies of Medical Records

Get current copies of all your medical records from your doctors and all other health care providers, along with your medical insurer, plus the records of any family members who also may be affected. Go through the reports, looking for any treatments, procedures or prescriptions that weren't authorized for you and your family. In some cases, a scam artist may have maxed out your benefits for the year or done something else that might threaten your coverage and eligibility for treatment.

You'll want to check that all your personal information is correct, from your mailing and billing address to your blood-type. If your medical records have been changed to reflect treatment for an imposter, they could contain dangerous errors, such as listing incorrect allergic reactions to some medications, a chronic condition such as diabetes, conflicting medication lists, or even an incorrect blood type. If you're in an accident and brought into an emergency room, that kind of falsified information could prompt a dangerous or even fatal medical mistake.

This can be time-consuming and frustrating, but your best approach is to work through a complete list of each doctor, clinic, hospital, pharmacy, laboratory, health plan, and locations where a thief may have used your information, according to the FTC. If a thief received treatment or a prescription under your name, request the records from the health-care provider and any pharmacy that might have filled a prescription.

In the ironic situation that a medical provider refuses to provide records out of concern for an ID thief's medical privacy, you have the right to appeal under federal law. According to the FTC, you should contact the person listed in the provider's Notice of Privacy Practices, the provider's patient representative or its ombudsman. If you still can't get your records within 30 days of your written request, you may contact the U.S. Department of Health and Human Services' Office for Civil Rights, by calling (800) 368-1019 or emailing ocrmail@hhs.gov.

In addition, federal law allows you to get one free copy of the accounting from each of your medical providers every 12 months, which is a record of anyone who's received any of your medical information from that provider. Request a copy of the "accounting of disclosures" from each of your health plans and providers. This will explain who received your medical information, what was sent and why and when it was distributed.

Getting copies of your medical records can cost money. Your individual state health privacy laws may make it easier for you to obtain records.

3. Ask for Corrections

Once you've reviewed your health records, report any wrong information and request corrections in writing. You can copy the records and highlight or circle any wrong entries to be deleted, and write out additions or corrections. Make copies of everything you send, keep the originals and make a record of what was sent, where and when.

Ask the provider to correct or delete each error. Send your letter by certified mail, and ask for a "return receipt," so you have proof of what the plan or provider received. Include a copy of the police report and the Identity Theft Report filed with the FTC.

The health care provider is required to correct your records and alert any laboratory or other provider that may have received incorrect information. The FTC advises that if a provider won't make corrections, you should ask that a statement of your dispute and corrections be included with your medical records.

Once you've obtained your medical records, keep a clean, corrected set on file and update it as you undergo any other medical treatments or procedures, to make sure you have an accurate, complete set of your own.

Read more here about data breaches: