Victims often don’t realize they’ve been targeted until they discover a drop in their credit score or until a collection agency comes after them for unpaid medical bills, said Jim Quiggle, director of communications for the Coalition Against Insurance Fraud, a group that includes insurers, consumer activists and government officials. While most of the cost of medical identity theft is borne by the health care industry and government, the Poneman Institute estimates that about 36 percent of victims in 2013 incurred out-of-pocket costs such as reimbursements for services provided to impostors, legal fees and identity protection services. The average cost for these victims amounted to $18,660; in a few cases, it exceeded $100,000.

Medical identity theft can happen in several ways. In one common scenario, the criminal persuades a consumer to divulge his health insurance number. Strategies for collecting these numbers can be highly sophisticated, especially when crooks operate in teams, Quiggle said. “They might invite seniors to bogus health fairs where they take their blood pressure and give them some nutritional supplements and ask to see their Medicare cards.”

Jennifer Trussell, who investigates medical identity theft for the Department of Health and Human Services’ Office of Inspector General, has seen cases where criminal rings target senior centers or homeless shelters and offer people $50 for, say, their Medicare number. “That information is sold again and again,” she said.

Even though the victims in these instances voluntarily share their numbers, they may not realize the impact, Quiggle said. “They'll discover to their horror that their Medicare account is being rifled and even maxed out by thieves who are making false claims against their policy.”

Some cases are perpetrated by employees of medical offices or even health care providers. Trussell worked on a case involving an Iowa chiropractor who had lifted the names and dates of birth of more than 200 patients to collect fraudulent Medicaid payments. In another case, a Baltimore pharmacy owner and two employees were indicted for allegedly submitting bogus claims for prescription refills to Medicaid and Medicare. Sometimes medical identity theft happens with the cooperation of the victim, who allows a family member or acquaintance to use his health insurance card to obtain care. Poneman Institute founder Larry Poneman said these “Robin Hood” crimes made up 30 percent of the medical identity thefts his group studied in 2013.

Giving your insurance number to someone in need might seem like a generous thing to do, but it’s still a crime and you could suffer consequences if the visits rack up bills that go unpaid or result in incorrect additions to your medical records, Poneman said. If an impostor’s blood type or medical condition gets added to your record, you could end up receiving inappropriate or even life-threatening treatment. Electronic medical records make your medical data easier to steal, because any clerk with access to patient records can load patient information onto a thumb drive and sell it to cronies or crime rings, Quiggle said. And because the Internet makes electronic records easy to share, tracking down all the providers who have received incorrect data can be difficult.

So how do you protect yourself? Never give your medical identity credentials to anyone but those with a legitimate reason for needing this information, such as the billing person at your doctor’s office, Quiggle said. Treat with suspicion anyone who asks you for your insurance number without a good reason, and never give these numbers to telemarketers or callers conducting “health surveys.” Closely scrutinize the “Explanation of Benefits” or “Medicare Summary Notice” documents that are sent to you to make sure that you actually received the services and products listed, he said.

If you see anything suspicious, ask to see your medical record to look for mistakes or evidence that your identity has been compromised. “A lot of people don’t realize that they have the right to read their medical records,” Poneman said. He recalls a case where a woman who stood more than 6 feet tall went in for bypass surgery; her medical record, however, showed that she was just over 5 feet tall because, unbeknown to her, an impostor had used her identity to receive care. Had she been given anesthesia and other drugs based on the impostor’s size, she could have faced serious problems with the surgery.

Think twice before sharing detailed medical information on social media, Trussell said. Posting a medical diagnosis on social media is akin to posting your address along with the dates that you’ll be away on vacation. An impostor could use that information to obtain services that might not raise red flags with your insurer. For instance, if you tweet about your diabetes diagnosis, Trussell said, it’s possible that “next thing you know, you’re getting diabetes test strips you didn’t order or receive billed to your insurance company.”