Electronic medical records make your data easier to steal, because any clerk with access can load the information onto a thumb drive and sell it, says a spokesman for the Coalition Against Insurance Fraud. (Bigstock)

Most of us tightly guard our credit cards and bank account numbers, but health insurance policy numbers are also prime targets for thieves. An estimated 1.84 million people were victims of medical identity theft in 2013, according to the Poneman Institute, a research organization, which expects that number to rise.

Victims often don’t realize they’ve been targeted until they discover a drop in their credit score or until a collection agency comes after them for unpaid medical bills, says Jim Quiggle, director of communications for the Coalition Against Insurance Fraud, a group that includes insurers, consumer activists and government officials. While most of the cost of medical identity theft is borne by the health-care industry and government, the Poneman Institute estimates that about 36 percent of victims in 2013 incurred out-of-pocket costs such as reimbursements for services provided to impostors, legal fees and identity protection services. The average cost for these victims amounted to $18,660; in a few cases, it exceeded $100,000

Medical identity theft can happen in several ways. In one common scenario, the criminal persuades a consumer to divulge his health insurance number. Strategies for collecting these numbers can be highly sophisticated, especially when crooks operate in teams,Quiggle says. “They might invite seniors to bogus health fairs where they take their blood pressure and give them some nutritional supplements and ask to see their Medicare cards.”

Jennifer Trussell, who investigates medical identity theft for the Department of Health and Human Services’ Office of Inspector General, has seen cases where criminal rings target senior centers or homeless shelters and offer people $50 for, say, their Medicare number. “That information is sold again and again,” she says.

Even though the victims in these instances voluntarily share their numbers, they may not realize the impact, Quiggle says. “They’ll discover to their horror that their Medicare account is being rifled and even maxed out by thieves who are making false claims against their policy.”

Some cases are perpetrated by employees of medical offices or even health-case providers. Trussell worked on a case involving an Iowa chiropractor who had lifted the names and dates of birth of more than 200 patients to collect fraudulent Medicaid payments. In another case, a Baltimore pharmacy owner and two employees were indicted for allegedly submitting bogus claims for prescription refills to Medicaid and Medicare.

Sometimes medical identity theft happens with the cooperation of the victim, who allows a family member or acquaintance to use his health insurance card to obtain care. Poneman Institute founder Larry Poneman says these “Robin Hood” crimes comprised 30 percent of the medical identity thefts his group studied in 2013.

Giving your insurance number to someone in need might seem like a generous thing to do, but it’s still a crime and you could suffer consequences if the visits rack up bills that go unpaid or result in incorrect additions to your medical records, Poneman says. If an impostor’s blood type or medical condition gets added to your record, you could end up receiving inappropriate or even life-threatening treatment.

Electronic medical records make your medical data easier to steal, because any clerk with access to patient records can load patient information onto a thumb drive and sell it to cronies or crime rings, Quiggle says. And because the Internet makes electronic records easy to share, tracking down all the providers who have received incorrect data can be difficult.

So how do you protect yourself? Never give your medical identity credentials to anyone but those with a legitimate reason for needing this information, such as the billing person at your doctor’s office, Quiggle says. Treat with suspicion anyone who asks you for your insurance number without a good reason, and never give these numbers to telemarketers or callers conducting “health surveys.”

Closely scrutinize the “Explanation of Benefits” or “Medicare Summary Notice” documents that are sent to you to make sure that you actually received the services and products listed, he says.

If you see anything suspicious, ask to see your medical record to look for mistakes or evidence that your identity has been compromised. “A lot of people don’t realize that they have the right to read their medical records,” Poneman says. He recalls a case where a woman who stood more than 6 feet tall went in for bypass surgery; her medical record, however, showed that she was just over 5 feet tall because, unbeknown to her, an impostor had used her identity to receive care. Had she been given anesthesia and other drugs based on the impostor’s size, she could have faced serious problems with the surgery.

Think twice before sharing detailed medical information on social media, Trussell says. Posting a medical diagnosis on social media is akin to posting your address along with the dates that you’ll be away on vacation. An impostor could use that information to obtain services that might not raise red flags with your insurer. For instance, if you tweet about your diabetes diagnosis, Trussell says, it’s possible that “next thing you know, you’re getting diabetes test strips you didn’t order or receive billed to your insurance company.”

If you discover that your medical identity has been stolen, your first step should be a call to the police, Ponemon says. Next, call the Federal Trade Commission’s identity theft hotline, 877-ID-THEFT or report the problem online at www.ftc.gov/idtheft. Report Medicare- or Medicaid-related crimes to oig.hhs.gov/fraud/hotline or by calling 800-HHS-TIPS.