Medical Identity Theft: How to Protect Against Fraud

Available for Interviews:  Paul Tracey

Paul Tracey is the Founder & CEO of Innovative Technologies, a Managed Security Service Provider in New York, and is a national speaker, cyber security educator, small business advocate, and author of Delete The Hacker Playbook and Cyber Storm.

What Paul Tracey can say in an interview on
Medical Identity Theft:

Medical Identity Theft is when a criminal obtains your personal information to commit fraud and we classify that fraud as medical when health care services were the target of that fraudulent activity. The US Dept of Health and Human Services Office of Inspector General defines Medical Identity theft as the use of personal information Like your name, social security number, insurance, or other medical numbers to submit fraudulent claims on a victim’s behalf to Medicaid and other health insurers without your authorization.

This theft occurs when criminals get access to your personal information without authorization and use it to defraud medical insurance and providers. There are many ways in which criminals exploit human behavior and technology to gain access to your information. They use a toolbox of resources and tactics to gain access to the systems that store your information. Just as in a legitimate business there are several stages and multiple parties involved in each stage. In some cases, the criminals are able to cohere the information from an individual During a phishing scam call for free medical services or an imaginary bill reduction but most cases of identity theft start with data stolen from a business. 

An Example of a Data Breach That
Results in Medical Identity Fraud

Stage One – Research, criminals in 2022 do their homework on their victims. Information gathering; social engineering; greatly increases the likelihood of a successful attack. Any and all public-facing information is obtained and reviewed. This can include social media, charity donation records, political donation records, and other internet services. The parties conducting this stage may not be involved in the medical fraud part as often they just sell the data collected to "larger" criminal entities.

Stage Two – Testing, at this point the information collected needs to be tested. Any passwords or personal information will be tested against all known accounts or common accounts such as amazon, Walmart, Facebook, etc. Those credentials would also be tested on any known network IP or domain addresses for the business. (ex. During this stage access to systems may be acquired if a valid password or connection was available. If not, the collection continues in the form of phishing attacks. scam phone calls, scam text messages, and exploiting network vulnerability.

Stage Three – Whether by the original party or a purchasing party the collected personal/medical information is used to obtain treatment, prescriptions, medical devices, submit claims, or obtain benefits under your name. By this stage, the attacker has an arsenal of data to impersonate the victim and will have a very high success rate. Medical records sell for 10x the amount of other records on the dark web at right around $1500 a record making this a very lucrative proposition.

Types of Info Cybercriminals Want

The end goal is to gain access to medical account numbers or Medicaid or insurance card numbers as they are of the most value. Attackers are after any piece of information they can use to obtain their end goal. This may start with something as simple as verifying the phone number they found online by calling and asking for someone by their first name. This is all a part of creating and understanding a virtual avatar of the victim. That avatar combined with the medical account info makes the medical fraud nearly impossible to detect initially.

Warning Signs of Medical Identity Theft
    • You get a bill for medical services you didn’t receive. You hear from a debt collector about a medical debt you didn’t incur.
    • Your credit report includes health care expenditures you don’t recognize. An explanation of benefits (EOB) from your insurer or a Medicare Summary Notice includes office visits
    • you didn’t make or treatment you didn’t receive. Your health plan says you’ve reached your benefits limit, citing treatment or services you did not get. Someone asks in a call or email for your Medicare or insurance number as part of a health care “survey” or offers free medical products or services.
Preventing Medical Identity Theft
    • Don’t jump on offers of free health services or products, especially if accompanied by a request for your Medicare or health plan number.
    • Don’t provide medical or insurance information over the phone or in an email unless you initiated the communication and are certain with whom you’re dealing. 
    • Don’t give medical or personal information in response to an unsolicited call or email from someone who claims to be from Medicare. A Medicare representative will call only if you initiated.


Interview: Paul Tracey

Paul Tracey is the Founder and CEO of Innovative Technologies, a Managed Security Service Provider in New York, and is a national speaker, cyber security educator, small business advocate, and author of Delete The Hacker Playbook and Cyber Storm.

After nearly a successful decade in business, Innovative Technologies continues to help clients ensure they have security and compliance procedures in place and well-trained staff. They have earned a reputation as a leading managed security services provider (MSSP) in upstate New York.

Tracey has been featured in MSP Success Magazine and on the Success Spotlight podcast and also runs an MSSP dedicated to helping small and medium-size businesses protect their reputation, money, and customers from cybercriminals.


Jo Allison
Managing Editor
Director of Public Relations
Success In Media, Inc.

Leave a Reply