Protect Yourself from Medical Identity Theft and Privacy Violation

Have you heard the story about the woman in Florida who received bill after bill from the local hospital for an amputation she didn’t have? After endless hours of wrangling over the telephone, she finally settled the situation by marching into the hospital on her own two feet and propping them up on the administrator’s desk. It turned out that she was a victim of medical identity theft — a very modern kind of crime, in which someone obtains private information about you and your health insurance coverage and uses it to get prescription drugs, treatment or even an operation.

This story illustrates my concerns about new online health tools, such as the ones from Microsoft and Google that enable you to keep virtual records of everything related to your health care, from prescription renewals to immunizations to drug allergies to medical records to test results. It sounds like an excellent idea — efficient and easy use of modern technology, and often at no charge. Some hospitals and doctors are connecting to the services as well, theoretically improving efficiency and reducing the risk of medical errors. The problem is that in a world where anyone can hack into any system, online medical records become something of a Pandora’s box. The troubles that may arise could be far worse than the problems these online health tools seem to solve. Here are some pros and cons, which you may want to consider before logging on…


Several companies are setting up Web sites that enable patients to keep their own medical records online. At the forefront are technology giants Google (Google Health) and Microsoft (Microsoft HealthVault), but individual health care providers and insurers are also developing tools. Government is getting involved too, as Medicare is testing a pilot e-prescription program. The White House is supporting an initiative to create electronic medical records for most Americans by 2014, with the goals of streamlining doctor-patient communication, saving time and eliminating waste and errors.


But whatever benefits online medical records might one day provide, right now they pose a significant threat to health information privacy, warns James C. Pyles, Esq., a principal at Powers, Pyles, Sutter & Verville PC in Washington, DC. The Health Insurance Portability and Accountability Act (HIPAA), which was supposed to protect the privacy of people’s health records, not only falls short of its original intent, it doesn’t even apply to many of the organizations that would be handling health information in a national electronic health information system. So the risk is not only that your information could get leaked or be stolen, it could be possible for some companies to legally peddle your private health data to insurers, Big Pharma or anyone else who wants to pay for it — without notice to you and against your will. The site administrators promise to adhere to voluntary security measures, but there’s no way to guarantee their compliance because patients are not notified when and how their health information is used and disclosed. This opens consumers up to the possibility that sensitive information (say, the fact that a patient has an expensive-to-treat cancer or is HIV positive) can get into the wrong hands.


Illegal hacking poses an even greater challenge, as hackers are notoriously difficult to thwart. Any and all Web sites are susceptible to technical and human errors… in fact, just since January 2005, the privacy of more than 47 million electronic health records was compromised when systems were hacked into and/or left unprotected, and there were also instances where computers storing the information were stolen.

There is virtually no way to extricate inaccurate and false information from an electronic medical record once it has been corrupted through hacking, Pyles told me. Damage to credit from unpaid bills — whether or not the bills are legitimate — is difficult to repair. Even more disturbing, inaccuracies that suddenly appear in your online medical records can lead to potentially life-threatening problems. If you’re in an accident, for example, and are unconscious when brought to the hospital, incorrect data could result in a serious problem, such as a transfusion with the wrong blood type or administration of a medicine to which you are allergic.

Another thing to fear is fear itself. Patients worried about breaches will compromise their health by withholding vital information from doctors. The Department of Health and Human Services has determined that more than two million Americans already fail to seek treatment for mental illness each year due to privacy concerns and nearly 600,000 Americans with cancer delay or fail to seek diagnosis and treatment for the same reasons. They worry that news of a stigmatizing disease could get out and damage their ability to provide for themselves and their families. This is an even greater concern now that we are in a recessionary economy, as many consumers fear they will not be able to get credit to meet mortgage payments or send their children to college.


Recent industry surveys and even a Presidential blue ribbon task force have concluded that the technology is simply not available to ensure the privacy of health information in an electronic information system. Additionally, until the industry decides on a common software platform or system, the process is far too fractured to be effective. It won’t work to have pockets of people on assorted systems — both health care providers and consumers need to be accessing the same database(s) in order to realize the benefits of efficiency. Still, many people are opting in for online medical records as a way to keep their information more organized. If that’s your choice, go about it as safely as possible, as you do to avoid identity theft in general. Suggestions include…

  • When choosing an online system to use, be sure it is administered by a company you know and trust, or one that has been recommended and vetted by your health care provider. Read and make sure you agree with the company’s privacy policy.
  • When signing a notice of privacy practices, write on it that you are agreeing to have the services provided on the condition that your health information will be disclosed only with your express consent.
  • Choose your password with care. Don’t select one using information that you wouldn’t want widely available, such as your Social Security number or telephone number. Likewise, do not choose passwords that can easily be guessed, such as your birthday or your last name. Memorize your password. Keep a record somewhere in your home.
  • Keep tabs on your wallet or purse. These often contain everything an identity thief needs — not only your health insurance card, but also your driver’s license and credit cards.
  • Don’t carry around your Social Security card or anything with your Social Security number written on it. Check, too, whether it appears as your health insurance card number… and if so, ask to have it changed at once. (Insurance companies once routinely used Social Security numbers as insurance IDs.)
  • Maintain a list of toll-free numbers for health insurance cards, credit cards and important account numbers in a separate location from your wallet to immediately report if cards are lost or stolen.
  • Consider having your “snail mail” delivered to a secure, locked location.
  • Carefully review all medical and credit card bills each month. Promptly report any irregularities and challenge any disputed charges.
  • Check credit reports for miscellaneous unpaid medical claims.
  • Make sure psychotherapy notes by mental health professionals are not included in the general medical record. Under the HIPAA Privacy Rule, express authorization must be obtained for the disclosure of this information.
  • Shred sensitive medical and financial papers before disposing of them.
  • Do everything you can to prevent companies from sharing your personal information with others. For example, online companies often include a box you can check specifying you only want follow-up e-mail from them and that you do not grant permission to sell your e-mail address to other companies.
  • Learn more about your privacy rights and how to protect them at (the website of the Privacy Rights Clearinghouse).

Any and all of these measures will help protect you from online medical identity theft, but it’s not a risk you can stop thinking about… better safe than sorry.

Privacy Rights Clearinghouse,

Related Articles