Everyone worries about stolen credit cards or hacked bank accounts, but just visiting the doctor may put you at greater risk for identity fraud.

Those medical forms you give the receptionist and send to your health insurer provide fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information. The names, birth dates and – most importantly – Social Security numbers detailed on those forms can help hackers open fake credit lines, file false tax returns and create fake medical records.

“It’s an entire profile of who you are,” said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston. “It essentially allows someone to become you.”

Social Security numbers were created to track the earnings history of workers in order to determine government benefits. Now, health care companies are, in some cases, required to collect the numbers by government agencies. They also use them because they are unique to every individual and more universal than other forms of identification like driver’s licenses, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health care information technology.

But once someone creates a stolen identity with a Social Security number, it can be hard to fix the damage. A person can call a bank to shut down a stolen credit card, but it’s not as easy a process when it comes to Social Security numbers.

“There is no such mechanism with Social Security numbers and our identity,” said Avivah Litan, a cybersecurity analyst at the research firm Gartner. “You can’t just call the bank and say, ‘Give me all the money they stole from my identity.’ There’s no one to call.”

So being that the data is so vital to protect, health care companies are taking every precaution to defend against hackers, right?

Not necessarily. The FBI warned health care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd of security software company Trend Micro. The warning came in a government bulletin to U.S. companies that cited research by a nonprofit security institute, he said.

Last year, more than 10 million people in the U.S. were affected by health care data breaches – including hacking or accidents that exposed personal information, such as lost laptops – according to a government database that tracks incidents affecting at least 500 people. That was the worst year for health care hacking since 2011.


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.