What to Do If Your Health Insurance Account Is Hacked

Healthcare data breaches are surging — in 2025 alone, over 100,000 Medicare accounts were compromised in a single incident, and the massive Change Healthcare breach affected roughly one-third of Americans. If your health insurance account has been hacked, the consequences go far beyond a simple password reset. Medical identity theft can result in fraudulent claims, corrupted health records, and financial devastation. Here's exactly what to do.

Why Health Insurance Hacks Are So Dangerous

Health insurance data is more valuable to criminals than credit card numbers. A stolen credit card can be canceled in minutes, but your medical identity — insurance ID, Social Security number, medical history, and personal details — can be exploited for years. Criminals use stolen health insurance credentials to:

• File fraudulent medical claims — billing your insurance for treatments, surgeries, or prescriptions they never provided
• Obtain prescription drugs — using your insurance to fill prescriptions for controlled substances
• Receive medical care under your identity — which corrupts your medical records with someone else's conditions, allergies, and blood type
• Commit tax fraud — using your SSN and personal information for tax return fraud
• Open new accounts — using your identity to obtain credit cards, loans, or additional insurance policies

Immediate Steps (First 24 Hours)

Step 1: Secure Your Account

• Change your password immediately — use a strong, unique password that isn't used on any other account
• Enable two-factor authentication if your insurer offers it
• Check for unauthorized changes to your account — address updates, added dependents, or changed contact information
• Log out of all sessions if the option is available in your account settings

Step 2: Contact Your Health Insurer

• Call the number on your insurance card — not a number from an email, as it could be a phishing attempt
• Report the breach and ask them to flag your account for suspicious activity
• Request a new member ID number — your old one should be considered compromised
• Ask about fraud alerts — many insurers can place monitoring flags on your account
• Get confirmation in writing — ask for an email or letter documenting your report

Step 3: Review Your Explanation of Benefits (EOB)

Your EOB statements show every claim filed under your insurance. Review recent statements carefully for:

• Medical services you didn't receive
• Providers or facilities you've never visited
• Prescriptions you didn't fill
• Dates when you know you didn't have medical appointments
• Claims from locations you've never been to

Within the First Week

Step 4: Place Fraud Alerts and Credit Freezes

Since health insurance breaches often expose Social Security numbers, you need to protect your credit:

• Equifax: 1-800-525-6285
• Experian: 1-888-397-3742
• TransUnion: 1-800-680-7289

A fraud alert requires creditors to verify your identity before opening new accounts. A credit freeze prevents new accounts from being opened entirely and is the stronger protection.

Step 5: Report to Federal Authorities

• FTC: File an identity theft report at IdentityTheft.gov or call 1-877-438-4338
• FBI IC3: Report the cybercrime at ic3.gov if you believe it's part of a larger hacking operation
• HHS Office for Civil Rights: If your insurer hasn't notified you of a breach they're aware of, file a HIPAA complaint at hhs.gov/ocr

Step 6: Contact Your Healthcare Providers

• Request copies of your medical records from all providers you use regularly
• Review them for inaccuracies — incorrect diagnoses, treatments, or medications that aren't yours
• Ask providers to flag your records for potential identity theft
• Request an "accounting of disclosures" — under HIPAA, you have the right to see who has accessed your medical records

Ongoing Protection

Step 7: Monitor Everything

• Review EOB statements every time they arrive — don't just file them away
• Check your credit reports at AnnualCreditReport.com from all three bureaus
• Monitor your bank accounts for unauthorized transactions related to medical billing
• Set up alerts with your insurer for any new claims filed under your policy
• Watch for medical bills for services you didn't receive — these could indicate ongoing fraud

Step 8: Correct Fraudulent Records

If you find fraudulent entries in your medical records:

1. Submit a written request for correction to each provider and your insurer
2. Include documentation — your FTC identity theft report, police report, and a detailed explanation of which entries are fraudulent
3. Follow up — providers have 60 days to respond under HIPAA
4. Keep records of all correspondence and corrections

Protect Yourself From Future Attacks

• Use unique, strong passwords for all healthcare accounts
• Enable two-factor authentication wherever available
• Be cautious of phishing — never click links in emails claiming to be from your insurer; go directly to their website instead
• Don't share your insurance card — treat your member ID number like a credit card number
• Shred physical documents containing your insurance information
• Review your insurance company's privacy practices and opt out of unnecessary data sharing

Why Comprehensive Identity Protection Matters

Health insurance hacks rarely happen in isolation. The personal data stolen — your name, SSN, address, date of birth — likely already exists on dozens of data broker sites, making it easier for criminals to verify stolen health data and commit fraud across multiple areas of your life.

PrivacyOn addresses this by removing your personal information from over 100 data broker and people-search sites, reducing the amount of data available to criminals. With dark web monitoring, PrivacyOn alerts you if your health insurance information, Social Security number, or other sensitive data appears on criminal marketplaces — often before the breach is publicly announced. Family plans covering up to 5 people help protect everyone on your insurance policy.