Report: The Geography of Medical Identity Theft

The report, The Geography of Medical Identity Theft, was published December 12, 2017. This report was presented at the US Federal Trade Commission Informational Harms workshop December 12, 2017.

Report Authors: Pam Dixon and John Emerson.

You are at the report main page, where you can download the report in PDF format.

Report Links:

Download Full Report (PDF, 38 pages). 

Report the Report Brief Summary, Findings, and Recommendations, Below.


Brief Summary of Report 

Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime.

This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light.

Summary of Findings and Recommendations 

This report finds that medical identity theft is growing overall in the United States, however, there’s a catch. The consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.”

Populous states such as California, Florida, Texas, New York, and to a lesser degree, Illinois, often have high consumer complaint counts, which can result from population effects. Based on data analysis of “rate per million” so as to equalize for population, strong additional patterns emerge from the complaint data. Notably, a large cluster of southeastern states emerge as a regional hotspot for medical identity theft, with steady growth patterns. Medical identity theft hotspots have also occurred in a dispersed mix of less populous states.

In addition to documenting geographic and growth patterns, the complaint data also documented significant and heretofore largely unreported patterns of harm related to debt collection resulting from medical identity theft, including debt collections documented to be one to three years in duration.

The documentation of debt collection impacts on victims of medical identity theft is new information, and needs to be added to the understanding of how medical identity theft impacts victims of the crime. Although impacts and modalities will be discussed in detail in Part 3 of this report series, this report touches on this research as it represents a significant adjacent finding.

Key recommendations in the report include: 

  • The Department of Health and Human Services should facilitate the collection of follow up information from those affected by medical data breaches, specifically including data to document medical debt collection activity post-breach.
  • Policymakers and law enforcement agencies should take regional and state hot spots suggested by the data into account when planning resources for medical identity theft deterrence, prevention, and remedies.
  • Healthcare providers and related stakeholders need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy. These risk assessments need to include specific plans for handling patient debt collection practices, and specific procedures that will prevent debt arising from medical identity theft to be passed to a collection agency.
  • Patients, medical data breach victims, and other identity theft victims should be aware of states where medical identity theft is more active.
  • The Consumer Financial Protection Bureau should monitor medical debt collection practices more closely and address abuses.

About the Authors 

Pam Dixon is the founder and Executive Director of the World Privacy Forum. She is the author of eight books, hundreds of articles, and numerous privacy studies, including her landmark Medical Identity Theft study. She has testified before Congress on consumer privacy issues as well as before federal agencies. John Emerson is a creative technologist working at the intersection of digital design, data, and social change. His data visualizations for World Privacy Forum have ranged from US medical identity theft data to global identity datasets, among others.

About the World Privacy Forum 

The World Privacy Forum is a non-profit public interest research and consumer education group that focuses on the research and analysis of privacy-related issues. Founded in 2003, the Forum publishes significant privacy research and policy studies on health privacy, privacy self-regulation, financial privacy and identity issues, biometrics, and data broker privacy practices among other issues. The Patient’s Guide to HIPAA is a long-standing resource maintained at WPF. WPF members have testified before Congress regarding privacy issues, including health privacy, and have regularly contributed privacy expertise to agency-level workshops at the Federal Trade Commission, the FDA, and HHS. For more, see

More …. Geography of Medical Identity Theft