The Washington PostDemocracy Dies in Darkness

Hackers want your medical records. Here’s how to keep your info from them.


Consumer Reports has no financial relationship with any advertisers on this site.

Theft of your personal medical information is on the rise, despite stringent privacy laws intended to safeguard it, according to a recent study in the Journal of the American Medical Association.

The breaches of electronic health records can include a vast array of personal information, including your Social Security number and medical history. The theft is the latest example of how all private data is increasingly subject to breaches, where credit card numbers, account log-ins and more end up in the wrong hands.

“Patients have an expectation of confidentiality, and breaches are a failure to meet that expectation,” says study author Thomas McCoy, research director at the Center for Quantitative Health at Massachusetts General Hospital.

McCoy and his co-author analyzed breaches of health data that were reported to the Department of Health and Human Services between 2010 and 2017. (A law passed in 2009 requires companies to inform HHS and affected individuals of any such breaches affecting at least 500 people.)

They found that breaches rose steadily almost every year. Health-care providers, such as hospitals, had fewer than 150 data breaches in 2010; in 2017, that number had risen to 250. And although breaches of health insurers have risen more slowly, the sheer amount of data compromised in those cases means that more than 110 million such records have been breached since 2010.

What are the risks?

When hackers steal health data, they can commit all kinds of identity theft — not just medical fraud, says Eva Velasquez, chief executive of the nonprofit Identity Theft Resource Center.

“Think of all the things you yourself can do with your identity credentials. You can apply for loans, you can get medical care, you can apply for government benefits,” Velasquez says. “Our medical data is rich with the [information] a thief needs to do all of that.”

Of course, you can’t just opt out of medical care, and “it really shouldn’t fall on a patient in distress to protect herself from this,” says Justin Brookman, director of consumer privacy and technology policy at Consumer Reports. “We can’t expect that burden to fall on consumers. Security laws are weak in this country, and need to be stronger.”

But you can do some things to help protect your health data. “Don’t be the low-hanging fruit,” Velasquez says.

What you can do

Don’t overshare. “The instinct within medicine — as well as in other industries — is to collect everything and keep everything, without taking the time to assess risks and benefits,” Brookman says. If you’re not sure why your doctor needs a particular piece of information, ask whether it’s really necessary. For example, many standard forms ask for a Social Security number, but it’s often fine to leave that field blank, Velasquez says; that’s a piece of personal information you should guard with extreme care. And don’t overshare on social media, she advises: “Think of your identity like a puzzle.” The more pieces you offer up to a thief — about an impending surgery, for example — the easier it will be to impersonate you.

Know who you’re talking to. If you get a call or an email that claims to be coming from your insurer or your provider, don’t provide any personal information in response, Velasquez says. Instead, call your doctor directly or log in to your insurer’s patient portal, for example, to verify that the query is really coming from them.

Read the “explanation of benefits.” Your insurer routinely mails out these summaries of medical services rendered, with “This is not a bill” printed on top. But “take 30 seconds and scan the explanations and make sure it’s really for goods or services you received,” Velasquez says. You should also take the time to briefly review everything mailed to you from doctors and your insurance company. If you spot anything suspicious, contact the provider or your insurance company; problems are easier to fix when they are spotted early.

Freeze your credit. “Unless you’re actively shopping for a mortgage, it’s better to have your credit frozen by default,” Brookman says. That prevents thieves (or anyone else) from opening a new line of credit, such as applying for a loan, in your name. Freezes are now free; you need to contact each of the three major credit agencies, Experian, Equifax, and TransUnion.

Have a plan. If your medical information is stolen, first, it’s important to know what exactly was taken. Having your Social Security number compromised is different from having an account login compromised, Velasquez says, and the steps you need to take to address a breach will vary. That’s why you should consider seeking professional help if you’ve been informed of a breach or suspect one. Your home insurance, renters’ insurance or employee benefits package may include identity protection services, Velasquez says, which can help you navigate what to do next in a breach — see what is available to you before you need it. The Federal Trade Commission can also generate a remediation plan for you and provide free assistance, as can the Identity Theft Resource Center.

 Copyright 2018, Consumer Reports Inc.

How can you tell if your doctor is any good?

Who owns your medical data? Most likely not you.

Dinner party diagnosis: The occupation hazard of being a doctor

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Read more at