Medical Identity Theft: A Modern Day Plague

When you read an account of the devastating “Black Death” Plague that spread across Europe and Asia in Medieval times, it’s impossible not to be awed by the statistics.  In just five years, one-third of Europe’s population, 25 million people, were dead.  It hit so fast and so unexpectedly that people were unable to protect themselves.  As one writer summarized, “A terrible killer was loose across Europe, and medieval medicine had nothing to combat it.”

While experiencing medical identity theft isn’t always as devastating as dying from the plague, it’s easy to draw some parallels.

  • Both affect people in such a way that they are completely unaware of it until it is often too late? Check.
  • It can spread unexpectedly fast? Check.
  • The victims are not limited to one group, whether by country, age, race, or socioeconomic class? Check.
  • People can die as a result of itCheck!

I don’t mean to get too melodramatic, but this topic is on my mind today because of the results of recent reports using data gathered by the Ponemon Institute in which they revealed some equally incredible statistics:

  • Nearly 43% of all record breaches in personal information in 2014 involved health records. (That’s more than those involved with banking and finance, education, the government and the military AND THIS WAS BEFORE THE ANTHEM BREACH!)
  • Since the U.S. Department of Health and Human Services started keeping records in 2009, the medical records of 27.8 – 67.7 million people have been breached.
  • Of those, there are an estimated 2.32 million Americans who have become victims of medical identity theft. Again, those statistics were compiled before the Anthem data breach, which may affect as many as 80 million more!
  • Cyber attacks on health care providers have doubled since 2010.

Medical ID theft is the fraudulent acquisition of someone’s personal information–name, Social Security number, health insurance number– for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

Understanding the importance of medical identity theft can not be over-emphasized.  Some important reasons:

  • The information taken in a health care breach is non-alterable (you can’t change your Social Security number or birth date) and is therefore valuable forever on the black market.
  • It can be significantly more expensive to recover from a medical data breach.  Unlike credit card fraud, which has a liability limit of $50, the Ponemon study suggests that 65% of medical identity theft victims had to pay an average of $13,500 to resolve the crime.
  • In addition to the cost, it took victims more than a year to successfully dispute the charges, clear up their medical records, and repair the damage to their credit.
  • When your credit card is stolen, you are notified quickly of suspicious activity.  Healthcare providers may not even know about your information being used, let alone advise you about suspicious activity.  On average, it takes up to three months for medical identity theft victims to learn of fraudulent activity.

I’ve addressed this topic before so rather than repeat myself as to the methodology of the criminals and how to be preventative, I’ll send you back to a Burning Questions episode I did back when the last survey was released.

If you don’t think it’s important to be well-informed on this topic, consider the words of James Pyles, a Washington, D.C. lawyer who has dealt with health issues for more than 40 years: “It’s almost impossible to clear up a medical record once medical identity theft has occurred.  If someone is getting false information into your file, theirs gets laced with yours, and it’s impossible to segregate what information is about you and what is about them.”

For now, medical identity theft is a plague with no readily available cure. It will take legislation, technological leverage and a lot more attention on the part of health providers to eliminate this nasty virus.

John Sileo is an an award-winning author and keynote speaker on keeping your organization from becoming the next data breach headline. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

How Do I Stop Obamacare Identity Theft? [Burning Questions Ep. 3]

Today marks the start of the Affordable Care Act (aka Obamacare). As with any new, massive, government-sponsored program, scammers and identity thieves will try to take advantage of the public’s confusion and unfamiliarity with the new Health Exchanges (which we’re calling Obamacare Identity Theft).

Read more

Medical Identity Theft Expert John Sileo on Fox

Medical Identity Theft Expert John Sileo speaks with Fox and Friends about how to avoid medical identity theft, and whether or not it can kill you. Luckily, even if medical identity theft could theoretically kill you, there are excellent and easy steps you can take to catch it early or prevent it entirely. Watch the video and then comment below with your questions or expertise.

John Sileo is a keynote speaker and medical identity theft expert with clients that include the Pentagon, Pfizer, Blue Cross, Blue Shield and many other health and financial organizations. See other videos on Medical Identity Theft here.


Can Medical Identity Theft Really Kill You? [Burning Questions Ep. 2]

There has been a great deal in the news about medical identity theft leading to death. Is it possible? Yes. Is it likely? Less likely than dying of a heart attack because you eat too much bacon. But let’s explore the possibility of death by medical identity theft (below, in this article), and why the threat gets sensationalized (in the video).

Read more

Medical Identity Theft Experts See Fast Growth

Healthcare data breaches are on the rise, 32% over last year. Though some may find this to be alarming, there is a school of thought that this is actually good news and that we are identifying breaches that perhaps went unnoticed in the past. However, the fact remains that breaches are on the rise, statistically, and many organizations fear they lack the infrastructure and budget to protect patient privacy.

The study found the reasons for growing data breaches in healthcare organizations to include:

  • employee mistakes and sloppiness
  • lost or stolen mobile computing devices
  • unintentional employee action
  • third-party error

On average, it is estimated that data breaches cost benchmarked organizations $2,243,700. This represents an increase of $183,526 from the 2010 study, despite healthcare organizations’ increased compliance with federal regulations.  Respondents in the study noted relying less on an “ad hoc’ process to prevent or detect data breach incidents and are relying more on policies, procedures and security.

Additional loss considerations to healthcare organizations include:

  • Productivity loss
  • Brand or reputation diminishment
  • Loss of patient goodwill
  • Potential for patient churn

Countermeasures being put in place to improve year-over-year breach statistics:

  • Employee training on policies and procedures governing information protection
  • Evaluation of organization-wide protection procedures for mobile devices
  • Enhancing the guidelines relative to privileged user and access governance of patient data

Conducted by Ponemon Institute and sponsored by ID Experts, the study utilized in-depth, field-based research involving interviews vs a traditional survey-based approach.

Summary of the top findings:

  • Over the last 24 months, 96% of organizations have had at least one data breach and, on average, organizations have had 4 data breach incidents, up from 3 cited in last year’s report.
  • The average economic impact is approximately $2.2 million, up $200,000 over last year
  • The average number of lost or stolen records per breach was 2,575 compared to last year’s average of 1,769

Top 3 causes of data breach:

  • Lost or stolen computing devises
  • 3rd party snafu
  • Unintentional employee action

Methods of Detection

  • Employees are most often the group to detect the data breach, followed by audits and finally, by patient complaints
  • The average time to notify data breach victims is approximately 7 weeks
  • A year-over-year increase (10%) is shown in organizations implementing an electronic health record (EHR) system

What a patient can do:

  • Sign-up for an identity monitoring service that includes both credit monitoring and medical identity monitoring.
  • Review explanation of benefits, insurance statements and medical summaries in detail.
  • Use passwords strategically. Don’t use the same one for all devices and mix them up using letters, numbers and symbols.
  • Stay alert to requests for personal data. Reputable organizations do not ask for this information over unsecured channels.
  • Read your financial statements thoroughly.
  • Freeze your credit or place a fraud alert on your credit (contact Equifax, Experian or TransUnion).
  • Get a free credit report by going to or calling 1-877-322-8228.

John Sileo is an award-winning author and speaks worldwide on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply results and increase performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Contact him on 800.258.8076 or learn more at