Billing Identity Theft: When Healthcare Providers Become Victims

Healthcare fraud is usually focused on how the providers perpetrate the theft and less on how they are also victims – of billing identity theft.  A less talked about crime, billing identity theft is when service provider credentials are used as a means for crooks to perpetrate their crimes against healthcare payers.  Fraudsters hijack a legitimate provider’s National Provider Identifier (NPI), Tax ID, or the identity of their legitimate practice.  The fraudsters then bill healthpayers for medical services that were never even rendered.  This basic scheme persists usually until a Medicare beneficiary receives, and actually reads, the quarterly Explanation of Benefits (EOB) and notices a doctor visit that simply never happened.

This scenario is clever in that it blames the unwitting, innocent provider for the crime they didn’t commit.

How Billing Identity Theft Works

The mechanics of  billing identity theft are simple, but the extra layer of actors makes it harder to adjudicate the suspect.  For fraudsters, providers’ NPI data is less of a secret than it should be.  A lot of times, NPIs can be found by a simple search through the National Plan and Provider Enumeration System – the federal database where every NPI is registered and looked up.  Additionally, tax IDs are often leaked, healthcare practice addresses are public information, and medical license numbers are usually posted on state board lookups.

Once a determined fraudster assembles a complete provider identity, the fraudster enrolls as a billing entity under the stolen identity, begins to submit claims, route claims payments to a temporary bank account, and then move on to the next victim before anyone even notices.

Healthcare provider billing identity theft also scales.  In 2025, the Department of Justice (DOJ) exposed another national healthcare takedown involving urinary catheters.  In that scheme, operators submitted $10.6 billion in fraudulent Medicare claims by combining the stolen identities of more than a million beneficiaries across the country with hijacked DME provider billing information.  This industrial operation was built on a foundation of stolen credentials, and could not have worked without the compromised healthcare provider-side identities for  billing purposes.

Fraudsters don’t always go through the trouble of rerouting claims for reimbursement payments, they sometimes let the payments land in the real provider’s account just to exploit the resulting paper trail to launder other proceeds, or to even use the legitimate billing pattern to cover for fraudulent claims payments.  In these cases, the healthcare provider is usually unaware of anything the fraudster is doing.

What Makes Providers So Vulnerable 

Identity fraud is less rigorously detected in healthcare than it is in other industries, such as financial services.  As such, healthcare providers’ identities typically aren’t challenged with multi-factor, or equivalent authentication tools, to verify an NPI on a submitted claim.  And there is not really a centralized real-time monitoring service available to providers that could flag unusual billing activity for a provider.

Healthcare provider identity details are a key component to fraudsters in perpetrating healthcare fraud.  To put it into perspective, a healthcare provider’s credentials can sell for up to $1,000 on the dark web, where stolen social security numbers go for about a dollar, and a stolen credit card number only fetch about a hundred bucks.  Healthcare credentials are the most valuable by a wide margin, and among that healthcare provider identity data is the most valuable because NPIs can be used across thousands of claims before anyone even notices.

Unfortunately, healthcare providers only find out that their NPI has been compromised only after the fraud has occurred, and providers can’t just cancel their NPI and get a new one.  NPI is a number that is tied to a provider for their entire career, so unwinding damage can take months of legal work and reputational cleanup.  

What Billing Identity Theft Costs the Real Provider

The Medical Identity Fraud Alliance estimates the average financial loss to a provider who has been the victim of identity theft at around $13,500.  Healthcare payers are quick to claw back adjudicated overpayments from providers, often attacking a provider’s future legitimate reimbursements before the provider even has a chance to dispute the fraud claim.  Unlike the payment card industry, healthcare does not provide for a statutory cap on fraud liability for network participants.

The pain doesn’t stop there for providers who are identity theft victims.  A flagged NPI creates even more headaches for providers, such as payer suspensions, additional prior authorization requirements, excluding screenings, and even referrals to the Office of the Inspector General.  A victim provider’s record is really never completely cleared as providers have to explain what happened to credentialing committees, malpractice carriers, and hospital privileging committees.  

Even after a victimized healthcare provider spends time and money clearing his name, they have still lost.

What Fraud Teams Can Actually Do

Fraud teams at healthcare payers have the ability to do more to help a healthcare provider from becoming a victim than even the provider can do.

Treat provider identity changes like consumer identity changes.  A common modus operandi for fraudsters is to add or change victim’s address or bank information with the healthcare payer.  These change requests are signals of potential fraud that need to be considered for risk.

Monitor the velocity and pattern of billing instead of just the dollar amount.  A break in patterns is also a clue that something is up, and sudden increases in billing could represent that the biller is having a great month or that they are not actually the one doing the billing.

Make it easy for healthcare providers to report suspected identity theft.  Just as a credit bureau will freeze a consumer’s credit file in a case of potential identity theft, healthcare payers should also make it easy for a healthcare provider to freeze his enrollment changes to prevent a meaningful share of the losses.

Share signals across healthcare payers for greater visibility.  Fraudsters will use stolen NPI across Medicare, Medicaid, and several commercial healthcare payers at the same time, which is invisible to each of them individually.  But cross-payer visibility makes it  harder for the crooks to exploit the system.

The Uncomfortable Part of Billing Identity Theft

The crime is pretty easy.  So easy that a reporter at The Atlanta Journal-Constitution accomplished it with inexpensive software and a public list of UPS Store addresses to find 131 CMS-registered providers in Atlanta who were using UPS Store mailboxes as their practice address.  In his own Nick Shirley moment, this one reporter looking into the problem in one city was able to expose a flaw in the CMS provider enrollment process that failed to tell the difference between a real practice and a mail drop.

The penalties for healthcare providers who are victims of identity theft reduce their incentive to be a victim. Healthcare providers do not want the stigma of being a victim of fraud as it leads to all of the other hassles that potentially jeopardize their business.  However, that can mean that healthcare  providers who are victims of identity theft are incentivized to just ignore it rather than raise their hand and become tainted by association..  This is bad for fraud-fighting healthpayers, and good for fraudsters, as these silent providers prevent fraud data points from being created to help the healthpayers in their fight against fraud.

Healthcare payers need to stop treating NPIs as guilty until proven innocent.  Payers need to build a process to tell the difference between providers who are fraudsters and providers who are victims.

Closing Thought

Past columns have addressed how the fraud supply chain exploits healthcare beneficiaries. This one exposed how it exploits providers too. Healthcare keeps treating identity theft as something that happens to patients. Fraudsters figured out a long time ago that it happens to providers just as easily — and we still haven’t caught up.