Health insurer Anthem is offering free credit monitoring after a major breach that may have affected as many as 80 million records, but customers should watch out for an especially insidious type of fraud: medical identity theft.
Anthem disclosed the hack late Wednesday, saying customer information that could have been compromised includes names, Social Security numbers, street addresses -- and the medical ID numbers found on customers' health insurance cards.
Criminals can use those numbers at hospitals, emergency rooms and pharmacies to receive care and prescriptions, racking up charges and wrecking victims' medical records. (No health data or financial information was included in the breach, the company said.)
"It's like an unlimited credit card that gets you 'free' access to expensive services and drugs," said Bob Gregg, CEO of ID Experts, which provides breach-response services to major U.S. companies. "Everyone thinks about credit cards and bank accounts, but medical identity theft can be much more damaging and extremely hard to fix."
That's because any medical care a criminal receives while using a victim's ID number gets added to the victim's health record -- and may go unnoticed for months or even years. The effects "can be life-threatening," as the U.S. Department of Health and Human Services notes on its website.
Imagine an unwitting medical ID theft victim who is rushed to the hospital for emergency gallbladder removal, but the patient's record shows the gallbladder was removed last year. That could cause confusion for the healthcare providers and serious delays in treatment, as could incorrect information about blood types or possible drug interactions.
Anthem wouldn't comment specifically on the potential for medical identity theft, but vice president of communications Kristin Binns told NBC News: "The best advice and counsel we can give people is that if they've been impacted, they'll receive information through a mailing. We're offering credit monitoring for a year and we encourage people to call the number in the mailing if they have any questions."
"I think consumers just aren't aware of this. They don't understand how, exactly, this information can be used and why it can be so dangerous," Larry Ponemon, founder of the privacy and information security research firm Ponemon Institute, told NBC News.
Ponemon Institute's 2013 study (the most recent available) about medical ID theft estimated that about 1.84 million adult Americans or close family members had at some point been victims of medical identity theft -- up from 1.52 million the previous year. More than one-third of victims said they incurred out-of-pocket costs, which averaged nearly $19,000 per person.
Medical ID numbers sold online can fetch $20-$100 each versus just $1-$5 for financial information, said Gregg, the ID Experts CEO. Some physicians have begun asking for photo ID, but the practice isn't widespread and "anyone who can get access to your medical ID number can probably fake a license pretty quickly," he said.
Untangling wrecked medical records can be an arduous process even for the experts, as privacy laws protect the release of health information and it can be tough for victims to prove they're not the ones who actually received treatment. Some victims end up paying the fraudulent bills to resolve the situation after months of frustration, Ponemon said.
Consumers can take steps to protect themselves, said Gregg, whose company offers a medical identity protection program. Both Ponemon and Gregg agreed the best way consumers can catch fraudulent medical services is by checking every Explanation of Benefits (EOB): the statements insurers send after a customer receives treatment.
Check credit reports to be sure there are no odd medical bills listed, and contact the insurer immediately if a charge looks unfamiliar. Upon request, health insurers will also provide a list of benefits paid out in a customer's name each year.
Other tips focus on the common sense and caution that should be applied when handling any sensitive information: Shred medical documents before throwing them out, report lost ID cards and don't give your medical ID number to anyone who may not have your best interests at heart. But those suggestions won't stop ID numbers from being stolen when the insurers themselves are breached.
"If 2014 was the year of the data breach, we're expecting 2015 to be the year of the medical data breach," Gregg said. "Unfortunately, I think Anthem is going to be the first of many."