Health insurer Anthem is offering free credit monitoring after a major breach that may have affected as many as 80 million records, but customers should watch out for an especially insidious type of fraud: medical identity theft.
Anthem disclosed the hack late Wednesday, saying customer information that could have been compromised includes names, Social Security numbers, street addresses—and the medical ID numbers found on customers' health insurance cards.
Criminals can use those numbers at hospitals, emergency rooms and pharmacies to receive care and prescriptions, racking up charges and wrecking victims' medical records. (No health data or financial information was included in the breach, the company said.)
"It's like an unlimited credit card that gets you 'free' access to expensive services and drugs," said Bob Gregg, CEO of ID Experts, which provides breach-response services to major U.S. companies. "Everyone thinks about credit cards and bank accounts, but medical identity theft can be much more damaging and extremely hard to fix."
That's because any medical care a criminal receives while using a victim's ID number gets added to the victim's health record—and may go unnoticed for months or even years. The effects "can be life-threatening," as the U.S. Department of Health and Human Services notes on its website.
Imagine an unwitting medical ID theft victim who is rushed to the hospital for emergency gallbladder removal, but the patient's record shows the gallbladder was removed last year. That could cause confusion for the healthcare providers and serious delays in treatment, as could incorrect information about blood types or possible drug interactions.
Anthem wouldn't comment specifically on the potential for medical identity theft, but vice president of communications Kristin Binns told NBC News: "The best advice and counsel we can give people is that if they've been impacted, they'll receive information through a mailing. We're offering credit monitoring for a year and we encourage people to call the number in the mailing if they have any questions."
Consumers can take steps to protect themselves, said Gregg, whose company offers a medical identity protection program. Both Ponemon and Gregg agreed the best way consumers can catch fraudulent medical services is by checking every Explanation of Benefits (EOB): the statements medical providers send after providing treatment.
Check credit reports to be sure there are no odd medical bills listed, and contact the insurer immediately if a charge looks unfamiliar. Upon request, health insurers will also provide a list of benefits paid out in a customer's name each year.
Other tips focus on the common sense and caution that should be applied when handling any sensitive information: Shred medical documents before throwing them out, report lost ID cards and don't give your medical ID number to anyone who may not have your best interests at heart.
But those suggestions won't stop ID numbers from being stolen when the insurers themselves are breached.
"If 2014 was the year of the data breach, we're expecting 2015 to be the year of the medical data breach," Gregg said. "Unfortunately, I think Anthem is going to be the first of many."