Skip to content
ScamSniff
← Back to Home

protect your devices

How to Protect Your Medical Records From Hackers

6 min readBy ClearShield Team

A stolen credit card number sells for $1-5 on the dark web. A stolen medical record sells for $250-1,000. Why? Because a medical record contains everything a criminal needs to commit identity theft: your full name, date of birth, Social Security number, address, insurance information, and sometimes financial data.

Credit card fraud can be detected in hours and reversed with a phone call. Medical identity theft — where someone uses your insurance to get treatment, fill prescriptions, or submit false claims — can take years to unravel and can result in incorrect medical information being added to your file. Imagine being treated for an allergy you do not have because a criminal used your identity at an ER across the country.

Healthcare data breaches are not rare. They are constant. In 2025 alone, over 130 million healthcare records were exposed in the United States. If you have been to a doctor, hospital, or pharmacy in the last decade, your records have almost certainly been affected by at least one breach.

Why Healthcare Is the #1 Target

The Data Is Incredibly Valuable

A medical record typically contains: full legal name, date of birth, Social Security number, home address, phone number, email, insurance policy number, group number, employer, prescription history, diagnoses, and sometimes payment information. This is a complete identity theft toolkit in a single file.

Healthcare Security Is Weak

Hospitals and medical practices are chronically underfunded on cybersecurity. Many run outdated software (some hospitals still use Windows systems from 2008), have overworked IT departments, and prioritize clinical operations over security infrastructure. Healthcare spends approximately 6% of IT budgets on security — compared to 15% in financial services.

The Attack Surface Is Enormous

Your medical data is shared across a vast network: your primary care doctor, specialists, labs, imaging centers, pharmacies, insurance companies, billing companies, and electronic health record (EHR) platforms. Each entity is a potential breach point, and data flows between them constantly.

Ransomware Pays

Hospitals cannot afford downtime — patients' lives are at stake. This makes them uniquely willing to pay ransomware demands to restore access to their systems. Cybercriminals know this, which is why healthcare is the most ransomware-targeted industry.

How to Protect Your Medical Records

1. Use Unique Passwords for Every Healthcare Portal

Every doctor's office, insurance company, and pharmacy with an online portal has a login — and most people use the same password for all of them. One breach exposes them all.

Unique passwords for every healthcare login

1Password creates and stores a unique, strong password for every patient portal, insurance login, and pharmacy account. If one provider gets breached, your other accounts stay protected.

Learn More

2. Enable Two-Factor Authentication on Patient Portals

If your patient portal (MyChart, FollowMyHealth, etc.) offers two-factor authentication, turn it on immediately. This prevents unauthorized access even if your password is stolen in a breach.

3. Review Your Medical Records Annually

Request a copy of your medical records from your primary care provider and insurance company once a year. Look for:

  • Treatments or diagnoses you do not recognize
  • Prescriptions you never received
  • Doctors or facilities you have never visited
  • Insurance claims you did not authorize

Under HIPAA, you have the right to access your complete medical records. Most providers now offer this through patient portals.

4. Monitor Your Insurance Statements

Read every Explanation of Benefits (EOB) statement your insurance sends. These show what was billed and what was paid. If you see a charge for a service you did not receive, report it immediately — this could indicate medical identity theft.

5. Be Cautious With Health Apps

Fitness trackers, period tracking apps, mental health apps, and diet apps collect sensitive health data — and many are not covered by HIPAA. Before entering health information into any app:

  • Read the privacy policy (specifically: do they sell data to third parties?)
  • Check if data is stored on their servers or locally on your device
  • Use apps that explicitly state they do not sell or share health data

6. Limit What You Share

When filling out medical forms, provide only what is medically necessary. A dermatologist does not need your Social Security number. An urgent care clinic does not need your employer. Push back on forms that request information beyond what is relevant to your visit.

7. Shred Physical Documents

Old prescription labels, insurance statements, EOBs, and medical bills contain enough information for identity theft. Shred them rather than tossing them in the trash.

What to Do If Your Medical Records Are Breached

Step 1: Freeze Your Credit

If a healthcare breach exposed your SSN, freeze your credit at Equifax, Experian, and TransUnion immediately. This prevents anyone from opening new accounts in your name.

Step 2: Request Your Medical Records

Get copies from every provider you visit. Look for information that does not belong to you — wrong blood type, conditions you do not have, medications you were never prescribed. Inaccurate medical records can be dangerous if used for treatment decisions.

Step 3: File a Complaint With HHS

The Department of Health and Human Services Office for Civil Rights handles HIPAA complaints. File at hhs.gov/hipaa/filing-a-complaint. Your complaint is confidential and may result in an investigation of the breached entity.

Step 4: Place a Fraud Alert

Contact your health insurance company and ask them to flag your account for potential fraud. Request that they send you copies of all claims filed under your policy.

Step 5: Monitor Ongoing

Medical identity theft often surfaces months or years after the initial breach. Set calendar reminders to:

  • Review medical records every 6 months
  • Check insurance EOBs monthly
  • Monitor credit reports quarterly

Reduce the data available to hackers

Healthcare breaches are harder to prevent because they happen at the provider level. But reducing your personal data on broker sites means criminals have fewer pieces to combine. DeleteMe removes your information from 750+ data broker sites.

Learn More

Key Takeaways

  • Medical records are worth 10-50x more than credit cards on the dark web
  • Healthcare is the #1 targeted industry for cyberattacks and ransomware
  • Use unique passwords + 2FA on every patient portal and insurance login
  • Review your records annually for treatments, prescriptions, and claims you do not recognize
  • Read every EOB statement your insurance sends — unexplained charges may indicate medical identity theft
  • Limit information on intake forms to what is medically necessary
  • If breached: freeze credit, request records, file HHS complaint, alert insurance, monitor ongoing

Get our weekly security tips

Practical steps to protect your health data, financial accounts, and personal information. Join 3,000+ readers.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

medical recordshealthcare privacyHIPAAdata breachidentity theft