Medical identity theft is one of the most financially damaging forms of identity fraud in the United States. A single stolen medical record sells for up to $1,000 on the dark web, worth 10 to 50 times more than a credit card number. Victims spend months or years untangling corrupted medical records, disputed insurance claims, and bills for treatments they never received.
At FaxSIPit, we have spent over 35 years building fax infrastructure for regulated industries, including healthcare, legal, and finance. We compiled the most current medical identity theft data available from primary sources, including the FTC, HHS Office for Civil Rights, IBM, and the Ponemon Institute, so organizations handling protected health information can see the full scope of the problem.
Key Takeaways
~2.3 million Americans experienced medical identity theft annually as of the last major study (Ponemon Institute, covering 2014 data), but the FTC logged over 10,000 self-reported cases in 2024 alone, a number that represents significant underreporting.
Medical records sell for $250 to $1,000 on the dark web, 10 to 50 times more than credit card numbers, because they contain permanent personal information that cannot be canceled.
Healthcare data breaches cost organizations $7.42 million on average according to IBM's 2025 Cost of a Data Breach report, making healthcare the costliest sector for breaches 14 years running.
Victims spend an average of 200+ hours and $13,453 resolving medical identity theft (Ponemon Institute, covering 2014 data), with 25% of cases taking more than two years.
67% of stolen medical identities are used to obtain medical services or treatments under someone else's name, according to the Ponemon Institute.
Medical Identity Theft Prevalence
Medical identity theft affects millions of Americans, though the exact number is difficult to pin down. The most rigorous prevalence studies stopped in 2015, and self-reported FTC data captures only a fraction of actual cases.
~2.3 million Americans experienced medical identity theft annually as of the Ponemon Institute's last study, which covered 2014 data and was published in 2015. This is the most-cited figure in the field, including by Google's AI Overview for this topic, but it is over a decade old.
The FTC received 10,116 medical identity theft reports in 2024. This represents self-reported cases only. The actual number is far higher because most victims do not report to the FTC. Medical identity theft accounted for 0.9% of the 1,135,270 total identity theft reports that year. (FTC Consumer Sentinel Network Data Book)
FTC reports of medical identity theft rose 309% between 2017 and 2022, climbing from approximately 6,800 reports to 27,820. (FTC)
FTC medical identity theft reports, 2017 to 2022. Source: FTC Consumer Sentinel Network Data Book.
Medical services fraud cases spiked to 45,000 in 2020 during the COVID-19 pandemic, driven in part by telehealth fraud and pandemic-related healthcare disruptions. Reports declined to roughly 14,000 by 2023 as pandemic-era fraud patterns normalized. (FTC)
1.85 million Americans experienced medical identity theft in 2013, up from 1.5 million in 2009. The upward trend across three Ponemon Institute studies (2009, 2013, 2015) shows the problem was growing before research stopped.
50% of healthcare organizations reported experiencing at least one medical identity theft incident, according to the Ponemon Institute.
Total identity theft reports reached 1,135,270 in 2024, a 9.5% increase year over year, with total fraud losses hitting $12.5 billion across all identity theft types. (FTC Consumer Sentinel Network Data Book)
What Medical Identity Theft Costs
The financial damage operates on two levels: individual victims pay thousands out of pocket to clean up corrupted records, and healthcare organizations absorb millions per breach.
Cost to Victims
Victims pay an average of $13,453 out of pocket to resolve medical identity theft, according to the Ponemon Institute's study covering 2014 data. This figure has not been updated since 2015.
55% of medical identity theft victims paid an average of $2,500 out of pocket. A smaller subset paid significantly more, which pulls the overall average to $13,453.
65% of medical identity theft victims incurred some financial cost in resolving the fraud. The remaining 35% resolved the issue without direct financial impact.
Medical identity theft costs the U.S. healthcare system an estimated $30 billion to $41 billion annually, a range from Medical Identity Fraud Alliance and Ponemon Institute research. The wide range reflects different methodologies for calculating systemic costs including fraud losses, compliance remediation, and patient harm.
One documented victim received a $113,424 medical bill from Scripps Health after an identity thief received treatment, including lab work and X-rays, under her name. She discovered the fraud only when the bill arrived. (CBS8 investigation)
Cost to Healthcare Organizations
Healthcare data breaches cost organizations an average of $7.42 million per breach, according to IBM's 2025 Cost of a Data Breach report. This is a 24% decrease from the $9.77 million reported in the 2024 report, but healthcare remains the costliest sector.
What a healthcare data breach costs organizations. Source: IBM Cost of a Data Breach report.
Healthcare has been the costliest sector for data breaches for 14 consecutive years, according to IBM's Cost of a Data Breach report. No other industry comes close.
U.S.-specific breach costs surged to $10.22 million, a 9% increase year over year. IBM refers to this as the "U.S. surcharge" on data breach costs. (IBM Cost of a Data Breach report)
Healthcare data breaches take an average of 279 days to identify and contain, five weeks longer than the global cross-industry average. (IBM Cost of a Data Breach report)
The Change Healthcare breach cost UnitedHealth Group between $2.457 billion and $3.1 billion, making it the most expensive healthcare breach in U.S. history. A $22 million ransom was paid in Bitcoin to the BlackCat/ALPHV ransomware group. (UnitedHealth Group)
Organizations using AI and automation in security operations reduced breach costs by $2.2 million on average, according to IBM's 2025 Cost of a Data Breach report. Healthcare organizations without AI-assisted security tools paid significantly more per incident.
Why Medical Records Are Worth More Than Credit Cards
Medical records are the highest-priced type of stolen data on the dark web because they contain permanent personal information that cannot be cancelled or reissued.
A single medical record sells for $250 to $1,000 on the dark web, according to Security.org. The price depends on the completeness of the record and whether it includes insurance details.
Credit card numbers sell for $5 to $110 on the dark web. Medical records sell for 10 to 50 times the price of credit card data. (Security.org)
Medical records ($250-$1,000) sell for far more than credit card numbers ($5-$110). Source: Security.org.
Medical records cannot be cancelled or frozen like credit cards. A credit card can be deactivated in minutes. A medical record contains a person's Social Security number, date of birth, insurance policy details, and complete health history. None of these can be changed after a breach.
Criminals use stolen medical records to build complete identity kits known as "fullz." A fullz package combines a patient's PII, insurance credentials, and health data into a single profile that enables medical services fraud, prescription fraud, and insurance billing fraud simultaneously. (Security.org)
How Stolen Medical Identities Are Used
Most stolen medical identities are used to obtain healthcare services, prescriptions, or insurance payouts under someone else's name. The following data comes from the Ponemon Institute's Third Annual Survey on Medical Identity Theft, which covered 2013 data.
67% of medical identity theft cases involved the thief obtaining medical services or treatments under the victim's identity, including surgeries, emergency room visits, and diagnostic procedures.
61% of cases involved obtaining prescription drugs or medical equipment using the victim's identity and insurance coverage.
46% of cases involved illegally billing insurance plans using stolen patient identities.
15% of medical identity theft incidents involved insider breaches, where healthcare employees misused patient information for personal gain or sold it to outside parties.
Medical identity theft creates downstream problems that financial identity theft does not. First, victims can end up with corrupted medical records containing the thief's blood type, allergies, diagnoses, and medication history. A wrong blood type on file can cause a fatal transfusion reaction. Second, victims report having insurance claims denied for pre-existing conditions they do not actually have, exhausted benefits from treatments they never received, and cancelled insurance policies. Third, false diagnoses on a victim's medical record can cause failed pre-employment physicals and job losses when conditions like HIV, substance use disorders, or psychiatric diagnoses appear in background checks.
Healthcare Data Breaches Fueling Identity Theft (2024-2025)
Healthcare data breaches are the pipeline feeding medical identity theft. Every breach that exposes patient records creates potential identity theft victims. Breach volume has doubled since 2018 and shows no sign of slowing. For a full breakdown, see our healthcare data breach statistics.
742 large healthcare data breaches were reported to HHS OCR in 2024, affecting 289.2 million individuals. This was a record year, driven largely by the Change Healthcare breach. (HHS OCR Breach Portal)
Approximately 710 large healthcare breaches were reported to HHS OCR in 2025, affecting 61.6 million individuals. The 78.7% drop in individuals affected reflects the absence of a single mega-breach on the scale of Change Healthcare, but the breach count itself remained near 2024 levels. (HHS OCR Breach Portal, HIPAA Journal)
Healthcare organizations now experience approximately 2 large data breaches per day, based on the 700-plus annual reports to HHS OCR. This rate has held steady since 2023. (HHS OCR Breach Portal)
The annual healthcare breach count has plateaued at 700 to 750, roughly double the rate from 2018. Despite increased cybersecurity spending, breach volume has not declined. (HHS OCR Breach Portal)
The Change Healthcare breach exposed 192.7 million patient records, the largest healthcare breach in U.S. history. The attack exploited compromised credentials on a Citrix remote access portal that lacked multi-factor authentication. The BlackCat/ALPHV ransomware group was responsible. (HHS OCR)
The Ascension Health breach affected 5.6 million patients after an employee downloaded a malicious file from a phishing email. The Black Basta ransomware gang encrypted systems across 136 hospitals, forcing pen-and-paper operations and ambulance diversions for nearly four weeks.
The Verizon Data Breach Investigations Report logged 1,492 healthcare incidents, with 1,438 confirmed data disclosures in its most recent reporting period. (Verizon DBIR)
Ransomware Impact on Healthcare
67% of healthcare organizations worldwide experienced a ransomware attack in 2024, according to Sophos's State of Ransomware in Healthcare report.
Healthcare ransomware attacks cost an average of $1.9 million per day in downtime, based on a Comparitech analysis of 654 ransomware incidents at hospitals, clinics, and pharmacies from 2018 to 2024. Total downtime losses exceeded $21.9 billion over the six-year period.
Average ransomware downtime exceeds 17 days per attack in healthcare. During downtime, organizations operate on paper records, divert ambulances, postpone surgeries, and delay treatment. (Comparitech)
Average ransomware recovery cost in healthcare reached $2.57 million, excluding the ransom payment itself. (Sophos)
An estimated 42 to 67 Medicare patient deaths between 2016 and 2021 have been attributed to ransomware-delayed care, based on academic research analyzing mortality patterns at hospitals during and after ransomware attacks.
Ransomware demands in healthcare dropped 91% in 2025, from an average of $4 million to $343,000. The decline likely reflects improved negotiation tactics and increased refusal to pay rather than a decrease in attack severity.
74% of healthcare ransomware attacks targeted hospitals, with the remaining 26% hitting pharmacies, outpatient clinics, and other secondary institutions. (Comparitech)
How Medical Identity Theft Happens
Hacking and IT incidents account for the vast majority of healthcare breaches. Phishing, stolen credentials, and unpatched vulnerabilities are the primary entry points. For related data, see our healthcare cybersecurity statistics.
Hacking and IT incidents caused 79 to 80% of all healthcare data breaches, based on HHS OCR breach reporting data. This category has dominated healthcare breach causes for several consecutive years. (HHS OCR Breach Portal)
System intrusion accounted for 53% of confirmed healthcare breaches, according to the Verizon Data Breach Investigations Report. System intrusion includes ransomware deployments, data exfiltration, and other multi-step attacks.
Leading patterns behind confirmed healthcare data breaches. Source: Verizon Data Breach Investigations Report.
Third-party and vendor-related breaches doubled from 15% to 30% in one year, reflecting growing supply chain risk in healthcare. The Change Healthcare breach is the highest-profile example of third-party vendor risk materializing. (Verizon DBIR)
Vulnerability exploitation accounted for 20% of healthcare breaches, a 34% year-over-year increase driven by unpatched edge devices and legacy systems. (Verizon DBIR)
Phishing was the initial attack vector in 14 to 16% of healthcare breaches. The Ascension Health breach, which affected 5.6 million patients, began with a single phishing email. (Verizon DBIR)
Stolen or compromised credentials were responsible for 11 to 15% of healthcare breaches. The Change Healthcare breach, the largest in U.S. history, started with a single set of stolen credentials on a portal without MFA. (Verizon DBIR)
60% of healthcare breaches involved a human element, including employees falling for phishing, credential misuse, and privilege abuse. (Verizon DBIR)
Only 54% of critical edge-device vulnerabilities were fully patched across organizations at the time of breach. The median time to patch a critical vulnerability was 32 days. (Verizon DBIR)
Ransomware was present in 48% of all confirmed breaches, up from 44% the prior year. (Verizon DBIR)
Who Is Most at Risk
Seniors bear a disproportionate share of medical identity theft losses. Hospitals absorb the majority of ransomware attacks. And the most populous states report the highest breach volumes.
By Age and Demographics
Seniors aged 60 and older account for approximately 35% of medical identity theft cases, despite representing roughly 23% of the U.S. population. (FBI Internet Crime Report)
Identity theft losses among adults 60 and older surged 70%, reaching $48.5 million in reported losses tied to medical and other identity fraud. (FBI Internet Crime Report)
Total identity theft losses for adults 60 and older reached $3.4 billion in 2023 across all identity theft types, making seniors the most financially impacted demographic. (FBI Internet Crime Report)
Adults aged 30 to 39 filed the highest number of identity theft reports to the FTC in 2024, though their per-incident losses were lower than older age groups. (FTC Consumer Sentinel Network Data Book)
Adults aged 80 and older reported median identity theft losses exceeding $1,600, the highest median per-incident loss of any age group. (FTC)
States With the Most Healthcare Breaches (2024)
Texas and California each reported approximately 60 healthcare data breaches in 2024, leading all states. The following table shows the 10 states with the highest breach counts. Breach volume correlates with state population and healthcare provider density.
State | Healthcare Breaches (2024) |
|---|---|
Texas | ~60 |
California | ~60 |
New York | 46 |
Illinois | 43 |
Florida | 37 |
Pennsylvania | 31 |
Ohio | 29 |
Massachusetts | 29 |
Tennessee | 25 |
Michigan | 22 |
Source: HHS OCR Breach Portal, HIPAA Journal
How Long Medical Identity Theft Takes to Detect and Resolve
Medical identity theft is harder to detect than financial fraud because there is no real-time monitoring system for medical records. Victims often discover the theft months after it occurs, and resolution can take years.
Medical identity theft takes an average of 3 or more months to detect. Unlike credit card fraud, which triggers immediate alerts from banks, there is no automatic notification when someone uses a person's medical identity. Victims most commonly discover the theft through unexpected medical bills, Explanation of Benefits (EOB) statements for services they did not receive, debt collection notices, or denial of coverage at the point of care.
Resolving medical identity theft takes an average of 12.1 months, with victims spending over 200 hours contacting providers, insurers, credit bureaus, and law enforcement.
25% of medical identity theft cases took more than two years to resolve. Victims reported being bounced between providers, insurers, and law enforcement with no single point of resolution.
HIPAA Enforcement and Penalties
Healthcare organizations that fail to protect patient data face enforcement action from HHS OCR. Penalties have increased in both frequency and dollar amount since 2024. For full enforcement data, see our HIPAA fines statistics and HIPAA violation statistics.
22 HHS OCR investigations resulted in penalties or settlements in 2024, with an additional 10 penalties issued through May 2025. (HHS Resolution Agreements)
More than $9.4 million in HIPAA penalties have been issued since the start of 2024. Combined with earlier enforcement actions, total fines tied to ransomware incidents, phishing attacks, and right-of-access failures exceed $15 million. (HHS Resolution Agreements, HIPAA Journal)
The largest recent HIPAA settlement was $3 million, against Solara Medical Supplies, stemming from a phishing attack that exposed the records of 114,000 individuals. Other notable penalties include $1.5 million (Warby Parker) and $1.19 million (Gulf Coast Pain Consultants). (HHS Resolution Agreements)
The most common HIPAA violation triggering enforcement is failure to conduct a compliant security risk analysis. This single failure appeared in the majority of recent settlements. (HHS Resolution Agreements)
Healthcare Cybersecurity Spending
Healthcare organizations are increasing cybersecurity budgets, but staffing and patching gaps remain significant.
The average healthcare cybersecurity budget reached $66 million in 2024, a 12% year-over-year increase. (HIMSS Cybersecurity Survey)
55% of healthcare organizations plan to increase cybersecurity spending in 2025. (HIMSS Cybersecurity Survey)
30% of healthcare organizations are investing 7% or more of their total IT budget on cybersecurity, up from lower allocations in previous years. (HIMSS Cybersecurity Survey)
57% of healthcare organizations are increasing investment in AI-based security tools, while only 34% are increasing cybersecurity staffing. The gap between tool investment and human capital investment is a growing concern as attack complexity rises. (HIMSS Cybersecurity Survey)
How to Protect Yourself From Medical Identity Theft
These steps can help individuals detect medical identity theft early and limit the damage.
Review every Explanation of Benefits (EOB) statement. Compare EOBs against your actual medical visits. Look for providers you did not see, services you did not receive, or billing codes you do not recognize.
Request a copy of your medical records annually. Under HIPAA, patients have the right to request their complete medical records from any provider. Review them for unfamiliar diagnoses, medications, or procedures.
Check your insurance benefits summary. Contact your insurer and ask for a summary of benefits paid in your name over the past 12 months. Flag any claims you did not authorize.
Place a fraud alert or credit freeze. Contact all three credit bureaus (Equifax, Experian, TransUnion) to place a fraud alert or freeze your credit to prevent new accounts from being opened in your name.
Report suspected medical identity theft. File a report with the FTC at IdentityTheft.gov, contact the HHS Office of Inspector General at oig.hhs.gov, and notify your healthcare provider's privacy officer.
Monitor your credit reports. Free annual credit reports are available at AnnualCreditReport.com.
Secure document transmission. Organizations handling protected health information should verify that fax, email, and other document transmission channels meet HIPAA compliance requirements.
Frequently Asked Questions
How common is medical identity theft?
Medical identity theft affects an estimated 2.3 million Americans per year. That figure covers 2014 data and is the most-cited number in the field, but no large-scale prevalence study has been published since. Self-reported data captures only a fraction of real cases, so the true number is almost certainly higher.
How many Americans have been victims of medical identity theft?
Roughly 2.3 million Americans experience medical identity theft annually. The FTC logged 10,116 self-reported medical identity theft cases in 2024, but most victims never file a report. The gap between the two numbers reflects how badly this fraud is undercounted.
What is the #1 cause of healthcare data breaches?
Hacking and IT incidents cause 79 to 80% of all healthcare data breaches. This category has led healthcare breach causes for several consecutive years. Phishing, stolen credentials, and unpatched vulnerabilities are the most common entry points within it.
Why are medical records worth more than credit cards on the dark web?
A single medical record sells for $250 to $1,000 on the dark web, 10 to 50 times more than a credit card number, which sells for $5 to $110. The difference comes down to permanence. A credit card can be cancelled in minutes, but a record containing a Social Security number, date of birth, insurance details, and full health history cannot be reissued after a breach.
How long does it take to resolve medical identity theft?
Resolving medical identity theft takes an average of 12.1 months, with victims spending more than 200 hours contacting providers, insurers, credit bureaus, and law enforcement. About 25% of cases take longer than two years to resolve. Detection is slow on its own, since there is no real-time monitoring for medical records the way there is for credit card fraud.
The Bottom Line
Medical identity theft remains one of the most damaging and least tracked forms of identity fraud. The last major prevalence study is over a decade old, the breach pipeline has doubled since 2018, and victims still spend an average of 12.1 months cleaning up the damage.
The data gap is itself a risk. Without current prevalence research, healthcare organizations and regulators are working with outdated numbers that likely understate the problem. What is measurable, the 700-plus breaches reported annually to HHS, the $7.42 million average breach cost (IBM, 2025), and the 279-day detection timeline, points to a problem that has grown since the last time anyone tried to measure it directly.
At FaxSIPit, we operate a dedicated fax network built on over 35 years of infrastructure expertise, serving healthcare, legal, and financial organizations that depend on secure document transmission. For organizations handling protected health information, securing every transmission channel is one piece of a compliance strategy that these statistics show cannot wait.
