A document with small scattered records converging on a central file, representing medical identity theft recovery across providers.

Medical Identity Theft: How It Works and What to Do

Almost everything I’ve told people to do to protect their identity is built around the same machinery: the three credit bureaus, your credit reports, and the new accounts a thief tries to open in your name. Freeze the bureaus, watch the reports, and you’ve shut down most traditional identity theft at the source.

Medical identity theft is the one major category where that playbook mostly doesn’t apply.

A credit freeze does not stop someone from using your Medicare number. It doesn’t stop a pharmacy from filling a prescription billed to your insurance. It doesn’t stop a provider from creating a record under your name for care you never received. The credit bureaus aren’t even in the loop until much later, if they ever are. The damage shows up somewhere most people never think to look: in medical records and insurance claims.

That makes this a different problem with a different fix. Financial identity theft is usually account cleanup. Medical identity theft is record cleanup, and records are harder to clean.

What Medical Identity Theft Actually Is

Medical identity theft happens when someone uses your personal information, your name, Social Security number, health insurance account number, or Medicare number, to get medical care, prescriptions, or equipment, or to submit insurance claims in your name.

The financial angle is real, but it’s not the worst part. The FTC’s warning gets at something more serious: if the thief’s health information gets mixed into your records, it can affect the medical care you actually receive and the insurance benefits you’re able to use. A stolen credit card is a number you cancel and replace. Medical identity theft can leave behind false diagnoses, false prescriptions, false procedures, false equipment orders, and a medical file that no longer describes the person it’s attached to.

The risk that matters most isn’t financial.

A wrong line on your credit report costs you time. A wrong blood type or a fabricated drug allergy sitting in your chart is a different kind of risk, because a future doctor may make a real decision based on it. That is why this category keeps me up more than a fraudulent credit card ever did.

How Big Is the Problem, Honestly

I’ll give you the numbers, and then I’ll tell you what they don’t mean.

The FTC’s 2024 Consumer Sentinel report logged more than 6.4 million consumer complaints, including roughly 1.1 million identity theft reports. Inside that, the agency recorded 10,116 reports of medical-services identity theft and 15,587 reports of insurance identity theft. The insurance category was up 37 percent from the year before.

Here’s the honest caveat the FTC itself attaches: these are unverified consumer complaints, not a survey. They tell you what people reported, not how often it’s actually happening. The real number is almost certainly higher, because the defining trait of medical identity theft is that people don’t know it’s happening to them.

What’s harder to argue with is the breach environment feeding it. The Identity Theft Resource Center tracks data compromises across all sectors, and its count climbed from about 21,900 breaches in its 2024 report to more than 25,200 in its 2025 report, with the number of exposed records running into the tens of billions. That’s not medical-only data, but it’s the supply line. Every breach that spills names, dates of birth, insurance IDs, and Medicare numbers is raw material for someone to pose as you at a call center or a billing desk.

How It Actually Happens

There are three main paths, and they overlap.

Healthcare data breaches

The cleanest route is a breach. A hospital, insurer, pharmacy, lab, billing vendor, or claims processor loses control of protected health information, and that data ends up for sale.

A fraudster often doesn’t need your full medical chart. Your name, date of birth, insurance member ID, Medicare number, address, and known provider relationship can be enough to bill under your coverage or pass a verification check over the phone. HIPAA requires the breached organization to notify you, generally within 60 days of discovering the breach. The catch is in the timing: that clock starts at discovery, and discovery can come long after the original break-in. By the time the notice lands in your mailbox, the data may have been in circulation for months.

Fraudulent insurance and Medicare billing

The second path is straight billing fraud. Someone uses your insurance or Medicare identity to bill for care, equipment, or testing you never received.

Medicare is a frequent target because the payoff is reliable and the victim rarely checks. Two schemes show up again and again. In brace scams, beneficiaries are offered “free” back, knee, or wrist braces. Provide or confirm your Medicare number, and the brace ships and Medicare gets billed, whether you needed it or not. Genetic testing scams work the same way: free cheek swabs or screening kits dangled to harvest Medicare numbers for fraudulent claims.

Both have a sting in the tail. The HHS Office of Inspector General warns that a fraudulent brace claim can later cause Medicare to deny equipment you genuinely need, because its records show you already got one. And if Medicare denies a fraudulent genetic-testing claim, you can be left owing the cost, which can run into the thousands.

Prescription and pharmacy fraud

The third path runs through the pharmacy. The FTC’s definition of medical identity theft explicitly includes using your information to get prescription drugs. Beyond the billing problem, this one quietly corrupts your medication history. A drug you never took, sitting in your pharmacy or provider record, can interact badly with real decisions a future doctor makes about your care.

Why People Discover It So Late

Financial fraud usually announces itself. A declined card, a strange charge, an alert from your bank. Medical identity theft tends to surface sideways, through paperwork, weeks or months after the fact.

The first visible signal is almost always an insurance document, a bill, or a debt collector. The FTC’s list of warning signs is a good checklist:

  • An Explanation of Benefits for a service or prescription you never received
  • A medical bill you don’t recognize
  • A debt collector contacting you about a medical debt you don’t owe
  • A medical collection appearing on your credit report
  • A notice that you’ve hit a benefit limit you never came close to using

Medicare beneficiaries have the same blind spot, which is why Medicare.gov tells people to compare the dates and services on their statements against their own calendar. The fraud doesn’t show up labeled as fraud. It shows up as a brace, a lab test, a drug-plan charge, or a service line buried in a long claim history that nobody reads closely.

The practical takeaway: read your EOBs and Medicare statements like a bank statement. Most people throw them out. That habit is exactly what this fraud depends on.

Why It’s Harder to Fix Than Financial Fraud

I want to be specific about why this category is more work, because “harder” without a reason is just hand-waving.

There’s no central record to correct. Financial identity theft has a clear system of record. The bureaus hold your credit file, and the dispute process, while slow, runs through a handful of known parties. Medical identity theft is scattered. The bad information can sit with a doctor, a hospital, a pharmacy, a lab, a health plan, a Medicare contractor, a billing vendor, and a collections agency, all at once. There’s no medical-records bureau you can call to fix it in one place. You work it entity by entity.

A freeze doesn’t help. This is worth saying plainly because it cuts against everything else I recommend. A provider doesn’t check your frozen credit file before submitting a claim. A pharmacy doesn’t pull your credit report to fill a prescription. A Medicare scammer doesn’t open a new credit account at all. The single most effective free tool against financial identity theft, the credit freeze, does almost nothing here. The FTC’s own guidance treats credit cleanup as a secondary step in medical cases, behind correcting your medical records.

The false records are more consequential. In financial fraud, the fake event is a transaction. In medical identity theft, the fake event looks like care: a diagnosis, a medication, a procedure, a device. Those entries can follow you into real treatment decisions.

There’s a privacy paradox. This one catches people off guard. When you ask a provider for the records tied to the thief’s visit, the provider may refuse, reasoning that it’s protecting the privacy of the person who received the care, who is the thief. The FTC anticipates exactly this. If a provider won’t release records on privacy grounds, you appeal through the contact in the provider’s Notice of Privacy Practices, the patient representative, or the ombudsman. You have a right to the records that describe what was done under your name.

The Recovery Process: What to Actually Do

There’s no single phone call that fixes this. There is a sequence that works, and it goes in a specific order. Doing it out of order, starting with the credit bureaus, wastes the time when it matters most.

1. Map where the fraud touched the system

Before you fix anything, find everywhere the bad information might live. Make a list of every doctor, clinic, hospital, pharmacy, lab, equipment supplier, insurer, Medicare or Medicare Advantage plan, and collection agency that could be holding a false record. The FTC’s instruction is to contact each one where the thief may have used your information and request the relevant records. This list is your work plan for everything that follows.

2. Get the records, not just the bill

Ask for the actual medical record, billing record, itemized claim, Explanation of Benefits, Medicare Summary Notice, and pharmacy or lab record tied to each suspicious service. The bill alone won’t let you prove what’s wrong.

HIPAA is on your side here. The Privacy Rule gives you the right, with narrow exceptions, to inspect and get copies of the medical and billing records held by your providers and health plans. A provider can’t withhold your records because you haven’t paid a bill, though it can charge reasonable copying and mailing fees. (HHS explains your right to access your medical records in plain terms.)

3. Dispute the errors in writing

Don’t just call. Calls leave no trail. Send a written dispute that names the specific wrong item: the visit, prescription, device, diagnosis, test, provider, date, charge, or claim number. Include a copy of the record showing the error, explain why it’s wrong, and send it in a trackable way, such as certified mail.

The provider has to respond, and it has to notify other providers who may have copied the same mistake into their records. Under HIPAA, you can formally request that incorrect information be amended. If the provider or plan created the information and it’s wrong, it has to fix it. If it disagrees with you, you have the right to file a statement of disagreement that becomes part of your record, so anyone reading the file sees your side.

4. Work the insurer or Medicare fraud channel

For private insurance, call the plan’s fraud department and ask for a corrected claim history. For Medicare, report suspected fraud to 1-800-MEDICARE or to HHS OIG online. If you’re on Medicare Advantage or a Part D drug plan, you can also reach the Medicare Drug Integrity Contractor that handles those investigations. Ask, in every case, for a corrected record of claims, not just an acknowledgment that you called.

5. Use IdentityTheft.gov for the identity-theft layer

Report the theft at IdentityTheft.gov to generate a personal recovery plan and an official identity theft report. This matters most when the same stolen information could also be used for financial fraud, government-benefit fraud, or account takeover, which is common. The information that let someone bill your insurance can usually do other damage too.

6. Check your credit reports last, not first

If a false medical bill goes to collections, it can eventually reach your credit file. At that point, pull your free reports, look for medical collections you don’t recognize, and dispute them using the IdentityTheft.gov steps. But treat this as the back end of the process. It’s cleanup after the medical system has already produced bad billing data, not a way to prevent any of it. Starting here, which is most people’s instinct, means starting at the end.

What the HHS Office for Civil Rights Complaint Process Does

People reach for the OCR complaint process expecting it to fix their case directly. It usually won’t, and knowing what it’s actually for saves you from filing the wrong thing.

OCR is the office that enforces HIPAA. You file with OCR when the problem isn’t just “someone stole my identity” but “a HIPAA-regulated organization broke the rules.” That includes a provider refusing to give you records you need to fix medical identity theft, a health plan ignoring a valid amendment request, an organization mishandling your protected health information, or a botched breach notification.

A few practical points. Anyone can file a complaint about a HIPAA Privacy, Security, or Breach Notification violation. The complaint has to name the covered entity or business associate, describe what they did or failed to do, and generally be filed within 180 days of when you learned about the problem, unless OCR grants more time for good cause. OCR can only act against organizations that are actually bound by HIPAA, which covers most providers, hospitals, pharmacies, health insurers, and government health programs like Medicare and Medicaid.

After you file, OCR checks whether the complaint is timely and within its jurisdiction. If it investigates and finds a problem, the organization may have to take corrective action, change its practices, or settle. If OCR isn’t satisfied, it can impose civil penalties.

Use OCR as a lever, not a substitute.

OCR is not a credit bureau, an insurer, or a personal billing-resolution service. A complaint can pressure a covered entity to honor your access rights, protect your records, or fix a systemic privacy failure. It does not clean up the specific false claims in your case. You still do that directly with the providers, insurers, Medicare, and collection agencies on your map. Where OCR earns its keep is when a provider is stonewalling you on records you have a legal right to. The complaint is the formal escalation that tends to get attention.

What to Monitor Afterward

Medical identity theft recovery isn’t one-and-done. The same stolen data can be reused, and corrected records have a way of un-correcting themselves as old claims work through the system.

For at least a year, keep an eye on your insurer’s portal, your Explanations of Benefits, your Medicare.gov claims and Medicare Summary Notices, your pharmacy and lab bills, and any collection letters. The FTC’s prevention advice is plain and worth following: keep medical and insurance records somewhere secure, shred documents before tossing them, black out personal details on prescription bottles before disposal, bring your mail in promptly, ask why a provider needs your Social Security number before you hand it over, and never give medical information to anyone who calls, texts, or emails you out of the blue. The “free brace” call is not a courtesy. It’s the front end of a billing scheme.

Where Paid Services Fit, and Where They Don’t

I’ll be straight about this, since it’s the kind of thing the marketing tends to blur. Most identity protection services are built around credit monitoring and new-account alerts, and that machinery is close to useless against medical identity theft, for all the reasons above. Some plans do monitor for certain health or insurance signals, and a few advertise it heavily, but the monitoring is not where the value is for this particular problem.

Where a service can earn its keep is restoration support. The recovery process I just walked through is fragmented, slow, and exhausting, and it’s the kind of thing that’s genuinely easier with a knowledgeable person handling the calls and paperwork alongside you. If you’re weighing whether that’s worth paying for, I cover that decision honestly in whether identity protection is worth it. Don’t buy a service expecting it to prevent medical identity theft. Buy it, if you buy it, for the help cleaning up after the fact.

The Honest Bottom Line

Financial identity theft is account cleanup. Medical identity theft is record cleanup, and the records are scattered across providers, insurers, Medicare, pharmacies, and labs, with no central bureau to fix them in one place. The credit freeze that stops most other identity theft does almost nothing here. The credit bureaus only matter if a false bill spills into collections.

The fix isn’t complicated, but it is a process: map every place the fraud touched, get the actual records, dispute the errors in writing, work the insurer and Medicare fraud channels, file with IdentityTheft.gov, and use the HHS OCR complaint process as a lever when an organization won’t honor your rights. Check your credit last.

And the single habit that catches this early costs nothing: read your EOBs and Medicare statements the way you’d read a bank statement. The fraud counts on you not bothering.

If you want the broader picture of what these services do and don’t watch, our guide to what identity protection services actually monitor lays it out. If you’re dealing with the financial side of an identity theft case as well, start with someone opened a credit card in your name. And because Medicare is such a frequent target, our guide to protecting an aging parent from scams is worth a read if you’re helping an older relative.


Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.


Recommended resources: