WPF Resource Page: The Medical Identity Theft Information Page

About medical identity theft, the world privacy forum medical identity theft report, and resources


What is medical identity theft?

Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name.

Medical identity theft is a crime that can cause great harm to its victims. Yet despite the profound risk it carries, it is the least studied and most poorly documented of the cluster of identity theft crimes. It is also the most difficult to fix after the fact, because victims have limited rights and recourses. Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.

The World Privacy Forum researched and published the first major report about medical identity theft and brought this crime to the attention of the public for the first time (Full report). We also maintain the only detailed FAQ for victims of the crime as well as consumer tips and best practices for healthcare providers. We have also published a report on health care providers’ obligations under the newly issued FTC Red Flag rules. We are currently completing the research on our second report on medical identity theft, which will be published in 2012.


REPORT: Medical Identity Theft – The Information Crime that Can Kill You

May 3, 2006

This report finds that medical identity theft is a crime that can cause great harm to its victims. False and erroneous entries in victim medical files and other harms make it imperative to understand this crime better and learn more about it and how it works.

Key recommendations in the report include:

  • Individuals’ rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
  • Victims of medical identity theft should have the right to receive one free copy of their medical file.
  • Individuals should have expanded rights to obtain an accounting of disclosures of health information.
  • Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
  • All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy.

Download the report (PDF)

Read the Report


CONSUMER TIPS: FAQ for Victims of Medical ID Theft – Detailed steps for recovering from medical identity theft for victims

This FAQ for Medical ID Theft Victims is a step- by- step guide to accessing and amending medical records, getting a history of disclosures of medical files, and recovering from medical identity theft. This FAQ was republished April 20, 2012. It was originally released June 30, 2006 and has been fully updated, with many new segments added based on WPF’s current medical ID theft research. This FAQ contains sample letters for victims, and is detailed.

Read the consumer tips


CONSUMER TIPS: What to do if you are a victim of medical ID theft (or are worried about it)

These consumer tips are short and more general than our detailed FAQ for victims. These are tips suited for victims of medical identity theft, and for people who are concerned about knowing what steps they can take to detect and prevent medical identity theft. These tips were republished April 20, 2012 after a complete update based on WPF’s newest medical ID theft research.

Read the consumer tips


BEST PRACTICES: Medical Identity Theft: Best Practices and Solutions for Providers

Briefing Paper: Responses to Medical Identity Theft – Eight best practices for helping victims of medical identity theft

October 16, 2007

The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These 8 best practices are a work in progress. The World Privacy Forum has released these practices to encourage discussion of what needs to be done by the healthcare sector in order to help victims of medical identity theft. The Forum is soliciting and requesting feedback on these practices.

Read the briefing paper


Pam Dixon’s keynote speech on medical identity theft at the AHIMA National Convention

October 9, 2007

World Privacy Forum speech on medical identity theft to AHIMA with the latest research and eight best -practice responses for responding to the crime.

Download the speech (PDF)

Read the speech


REPORT: Red Flag and Address Discrepancy Requirements – Suggestions for Health Care Providers

September 24, 2008

This report discusses the applicability of the new FTC Red Flag regulations to the health care sector along with suggestions for providers. The recently issued regulations by the FTC require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers — whether they are for-profit, non-profit, or governmental entities — may have obligations under the new rules. Medical identity theft is a real concern in the health care sector, and is included expressly in the Red Flag Rules Guidelines. The new regulations take effect in 2009.

Download the report (PDF)

Read the report


INTERACTIVE MAP: Medical Identity Theft in the United States

The World Privacy Forum interactive Medical ID theft map shows the cities and towns where medical identity theft has been happening in the US. This map is based upon data from the Federal Trade Commission. To see the map, visit the map page.

View the map


CONSUMER TIPS: Patient’s Guide to HIPAA – How to Use the Law to Guard your Health Privacy

This guide is prepared by Robert Gellman for the World Privacy Forum, with assistance from Pam Dixon, executive director, World Privacy Forum. John Fanning, former privacy advocate, U.S. Department of Health and Human Services, and Dr. Lewis Lorton, health technology and privacy expert contributed to the first edition of the Guide. Robert Gellman and the World Privacy Forum take responsibility for the judgments and accuracy of information in this guide. Nothing in this guide constitutes legal advice. This is the updated version of the guide which incorporates the September, 2013 updates to HIPAA. Publication date: Sept. 20, 2013.

Read the consumer tips


What has the World Privacy Forum Been Doing About Medical Identity Theft?

The World Privacy Forum, as the organization that published the first major report about this crime, is very actively working on the issue of medical identity theft to both understand and document the crime and to find the best practices that can be used to assist victims after the fact and to detect, prevent, and deter this crime from happening. We are also working with victims of this crime to assist them.

  • The World Privacy Forum has re-published its two key resources for medical identity theft victims, the resources are completely updated with our newest research. (April, 2012).
  • The World Privacy Forum has completed numerous trainings of law enforcement and health professionals to provide assistance for victims in dealing with medical identity theft (Most recent, April 2012).
  • The World Privacy Forum has published an interactive map visualizing known medical id theft incidents in the US over the course of a year. (August, 2011).
  • The World Privacy Forum published a Patient’s Guide to HIPAA to assist all patients and victims of medical identity theft in understanding how to navigate HIPAA and better utilize their rights under HIPAA. (March 2009).
  • The World Privacy Forum is actively engaging in dialog to determine national-level standards for responding to medical identity theft, including authentication practices (current as of 2009).
  • The World Privacy Forum published a report on the Red Flag Rules set to go into effect May of 2009. (Report published September 2008).
  • The World Privacy Forum presented a workshop to providers and government stakeholders regarding medical identity theft and best practices for responding to the crime in March 2008.
  • In January 2008, a California law based on the World Privacy Forum recommendations in its report went into effect.
  • The World Privacy Forum published research-based recommendations to providers regarding best responses to the crime of medical identity theft in October 2007.
  • The World Privacy Forum presented recommendations and solutions regarding victim recovery from medical identity theft to the California Health Information Association in June 2007.
  • The World Privacy Forum filed comments with the President’s Strategic Task Force on identity theft in winter 2006 and explained the issues relating to medical identity theft. Medical identity theft was included in the Task Force’s report published in April, 2007.
  • The World Privacy Forum presented issues and solutions regarding medical identity theft as part of the HISPC project in regional meetings with health care providers and other stakeholders in November 2006.
  • The World Privacy Forum presented issues and solutions regarding medical identity theft to thought leaders in Tokyo and other parts of Japan and discussed trans-national differences in the crime. (October 2006).
  • The World Privacy Forum filed comments with the FTC and other agencies asking medical identity theft to be included in Red Flag guidelines. (September 2006).
  • The World Privacy Forum testified before AHIC on medical identity theft in September 2006.
  • The World Privacy Forum has developed detailed tips and downloadable letters for victims of medical identity theft. (June 2006).
  • The World Privacy Forum has issued the first in-depth report about medical identity theft in May 2006. This is the first major report on medical identity theft to be published.
  • The World Privacy Forum has submitted agency comments to Health and Human services to request changes to the HIPAA law to allow victims of medical identity theft expanded rights in November 2005.
  • The World Privacy Forum has testified about medical identity theft before the National Committee on Vital And Health Statistics in August 2005. This is the first known public testimony about this crime.
  • The World Privacy Forum submitted agency comments in December 2005 and asked the FTC to study medical identity theft more closely.