For John Kuhn, a simple X-ray after a snowboarding accident turned into an accounting nightmare when the hospital billed him $20,000 for a surgery he never had.
"So I had to go down in front of the billing department no less and pull up my shirt and show them that I did not have any major scarring on my stomach at all," Kuhn said.
It turns out the hospital’s hard drive had been stolen along with Kuhn’s medical records.
He’s not alone, experts say health care-record hacking is skyrocketing — up 11,000 percent last year alone.
Roughly one out of every three Americans had their health care records compromised and most are completely unaware. Such hacks give criminals a wealth of personal information that, unlike a credit card number, can last forever.
Kuhn’s records were among the 100 million health care records stolen last year.
Many of those records show up for sale on the “dark web” where hackers openly advertise themselves and what they’ve stolen.
One site offers fresh healthcare profiles stolen last year in California boasting "you can use those profiles for normal fraud stuff or to get a brand new healthcare plan for yourself."
Etai Maor showed NBC News the type of computer station where such transactions are made.
"This is where information from big data breaches ends up as a commodity and is sold," he said.
Stolen credit cards go for $1-$3 each. Social Security numbers are $15. But complete health care records are a gold mine, going for $60 each.
That’s because criminals can use such records to order prescriptions, pay for treatments and surgery and even file false tax returns.
"You basically own a person. You have all the information. You can create a new account, you can fake his whole identity," Maor said.
And, unlike credit cards that can be quickly canceled, health care information lives forever.
To avoid getting hacked, security professionals advise the following:
- Following good password practices
- Avoid using the same email account for banking and shopping.
- Use pin codes on your IRS returns.
- Avoid giving out your social security number, even the last four digits, to hospitals and doctors’ offices.
"You really need to push back on those situations and say 'Look, can I give you a PIN or some piece of information that I can change on a regular basis?'" Caleb Barlow, vice president of strategy at IBM Security.
In the meantime, Kuhn said he’s grateful that demonstrating he never had surgery helped get his hospital charges dismissed.
And he has a bit of advice for others who might find themselves in a similar situation.
“If your name is ever involved in a security breach of you've been notified by an organization of a security breach, you should definitely take advantage of the free credit monitoring that comes after that,” Kuhn said. “Also it's critically important before you go to the healthcare institution, that you understand their security policies, that you understand what they are doing with your information, how did they protect your information at that point.”