Medical records are the most valuable type of stolen data on the black market — worth approximately $408 per record, over three times the cross-industry average. Unlike a credit card number that can be changed, you can't change your diagnosis, blood type, or medical history. If your healthcare provider has notified you of a data breach, here's exactly what to do.
Why Medical Data Breaches Are Especially Dangerous
In 2025, at least 642 healthcare breaches affected approximately 57 million Americans. The average breach cost healthcare organizations $7.42 million per incident — the highest of any industry. And the problem is getting worse: vendor and third-party breaches doubled in one year, jumping from 15% to 30% of all healthcare incidents.
Stolen medical data enables a range of particularly harmful fraud:
- Medical identity theft: Criminals use your information to file fraudulent insurance claims, obtain prescription drugs, or receive medical treatment in your name. This can corrupt your medical records with someone else's diagnoses and allergies — potentially life-threatening if it leads to incorrect treatment.
- Tax fraud: Your Social Security number from healthcare records can be used to file fraudulent tax returns.
- Targeted phishing: Scammers use specific knowledge of your medical treatments to craft highly convincing phishing emails and calls. "We noticed an issue with your recent cardiology appointment" is far more persuasive than a generic phishing attempt.
- Financial fraud: The combination of SSN, date of birth, address, and insurance information from a medical breach provides everything needed to open new credit accounts.
Medical Data Can't Be Changed
When your credit card number is stolen, you can get a new one. When your medical history is stolen, there's no replacement. Corrupted medical records — with someone else's blood type, allergies, or conditions added to your file — can lead to dangerous treatment errors. Acting quickly after a breach is essential.
Immediate Steps to Take
1. Read the Breach Notice Carefully
When a healthcare provider notifies you of a breach, the notice should specify exactly what data was exposed. Pay attention to whether the breach included:
- Social Security number
- Insurance ID and policy numbers
- Medical diagnoses and treatment records
- Prescription information
- Financial or payment information
The type of data exposed determines which steps are most urgent.
2. Place a Fraud Alert or Credit Freeze
If your SSN was exposed, immediately contact all three credit bureaus:
- Equifax: 800-525-6285
- Experian: 888-397-3742
- TransUnion: 800-680-7289
A credit freeze is stronger than a fraud alert — it prevents anyone from opening new accounts in your name until you lift it. Freezing your credit is free and can be done in minutes at each bureau.
3. Review Your Explanation of Benefits (EOB) Statements
Go through your insurance EOB statements for any unfamiliar claims, procedures, or prescriptions. Medical identity theft often shows up first as phantom insurance claims — treatments or doctor visits that you never had. Contact your insurer immediately if you spot anything you don't recognize.
4. Check Your Credit Reports
Visit AnnualCreditReport.com to pull your credit reports from all three bureaus. Look for accounts you didn't open, hard inquiries you don't recognize, or addresses you've never lived at. After a healthcare breach, financial fraud often follows within weeks.
5. Get an IRS Identity Protection PIN
If your SSN was compromised, apply for an Identity Protection PIN from the IRS at irs.gov/ippin. This six-digit number is required to file your tax return and blocks fraudulent returns filed using your SSN.
6. Accept Any Free Monitoring Offered
The breached organization will typically offer free credit monitoring or identity theft protection services. Accept this — it's an additional layer of protection at no cost to you. However, don't rely on it as your only defense.
7. Change Passwords and Enable MFA
Change the password on any account associated with the healthcare organization, and enable multi-factor authentication (MFA) wherever available. If you used the same password elsewhere, change those accounts too.
Beware of Follow-Up Phishing
After a medical data breach, scammers often send fake emails, texts, or calls pretending to be from the breached organization or offering "identity protection services." Never click links in unsolicited messages about the breach — go directly to the organization's official website instead.
Ongoing Monitoring
A medical data breach isn't a one-time event — stolen medical data can be used months or even years later. Put these ongoing monitoring habits in place:
- Check your EOB monthly: Review every insurance statement for claims you didn't make. Don't wait until a problem becomes obvious.
- Request your medical records annually: Get a copy of your medical records from every provider and check for entries, diagnoses, or treatments that aren't yours.
- Monitor your credit: Set up free alerts through your bank or credit monitoring service to catch new account openings immediately.
- Watch for IRS notices: If you receive an IRS notice about unreported income or a duplicate tax return, it may indicate someone is using your SSN.
Your HIPAA Rights After a Breach
Federal law gives you specific rights when your healthcare data is breached:
- Timely notification: Covered entities must notify you within 60 days of discovering a breach.
- Access to your records: You have the right to access your own health records at any time.
- Accounting of disclosures: You can request a log of who has received your medical records — useful for identifying unauthorized access.
- File a complaint: If you believe your rights were violated, you can file a complaint with the HHS Office for Civil Rights.
Consider Legal Options
Class action lawsuits are increasingly common after large healthcare data breaches. If you've suffered financial losses or identity theft as a result of a breach, consult a data breach attorney — many work on contingency. Be aware of your state's statute of limitations for filing a claim.
Protect Yourself Beyond the Breach
A medical data breach is a wake-up call to protect your personal information across the board. Your name, address, phone number, and other personal details are likely already published on dozens of data broker sites — making it even easier for criminals to combine stolen medical data with your publicly available information.
PrivacyOn monitors over 100 data broker sites and automatically removes your personal information, reducing the amount of data available to criminals who may be looking to exploit a medical breach. Combined with credit monitoring and the steps above, a comprehensive approach to data privacy gives you the strongest possible protection after a healthcare data breach.