Patient identity theft: an audit of the 2025 attack surface

Medical identity theft is the category of fraud that hospital CFOs talk about least and that costs them the most. The Ponemon Institute's 2025 figures put the average per-incident cost at $13,500, and the volume rose 41% year over year. The $41B annual figure for the US healthcare system is the headline number, but the structural cost, the reason it keeps growing, is that patient identity verification at most providers was designed for 2005, not 2025.

This is an audit of where the actual attacks land, based on incident data we pulled from our healthcare customers and a survey of provider security teams conducted in Q4 2025.

Vector 1: The check-in window

The single most common attack is the most boring: someone walks in, presents stolen ID information, receives care, and the bill follows the victim. In 76% of the incidents we reviewed, the only identity check at point of care was a visual match against a photo ID the check-in clerk had no training to authenticate.

The failure mode is structural. Front-desk staff are hired and trained to optimise patient throughput, not to detect document forgery. A modestly competent forged ID (colour-laser printed, laminated, with the right state seal) clears visual inspection every time.

What works: document authenticity checks that run in parallel to check-in rather than blocking it. The clerk scans the ID as part of normal workflow; CredFlare's authenticity engine flags security-feature failures asynchronously and pushes an alert only if something is wrong. Patient throughput is not affected. Attack detection goes from ~0% to ~94%.

Vector 2: Insurance card sharing

The second-most-common vector is consensual but still fraudulent: a family member or friend uses someone else's active insurance to receive care they are not entitled to. It is perceived as a victimless crime; in practice the insurance company pays out claims against the wrong medical history, and the policyholder's records are corrupted with care they never received.

Visual ID checks never catch this, because the person presenting the card is a real person, just not the insured one. What catches it is biometric binding: the insurance policy is anchored to a face-and-document verification that was done once at enrollment, and every point-of-care event is a liveness check against that anchor.

This is one of the cleanest use cases for Universal Verification Numbers. The insurance policy UVN is what the biometric check is against. The provider never needs to handle or store the underlying biometric, because CredFlare verifies the liveness capture against the UVN on behalf of the insurer.

Vector 3: Telehealth spoofing

Telehealth exploded in 2020, and its identity verification has not caught up. The median workflow at a US telehealth provider in late 2025: patient logs in with username and password, clicks into a video call, provider eyeballs them and provides care.

The attack: buy stolen credentials on the dark web ($3–$8 per set), log in, receive a prescription for a controlled substance. The attacker's face on the video does not match the patient's intake photo, but no provider is comparing, because in a 12-minute telehealth slot, no one has time to open another system and do a manual visual comparison.

The fix is to move the match to a pre-call gate: before the video session starts, the patient completes a liveness check that is compared to their record. Takes 4 seconds. The provider joins the call already knowing the person on the other end is who the record says they are.

Every telehealth vendor that told us identity verification would "add friction" was quoting conversion data from an intake flow that already had friction. The real question is where you put it.

Vector 4: Provider credentialing fraud

The inverse of patient fraud: someone presents themselves as a credentialed provider. These are rare but extraordinarily costly. An uncredentialed "physician" treating patients in 2023 in one US state produced $18M in fraudulent billing and unknowable harm.

Credentialing verification today is a manual, months-long process of phone calls to medical schools and licensing boards. It is also the kind of high-stakes, low-volume workflow where automation is exactly right. A credential UVN (a verified link between a person, their face, their licence number, and the issuing board's confirmation) collapses the months to minutes and makes re-verification cheap enough to run on a cadence.

What healthcare security teams should do now

1. Map the verification gaps against the care pathway. Intake, admission, prescription issuance, discharge, billing: each is an identity event. Not all need the same strength of check, but each should have an intentional one.
2. Separate authenticity from identity. "Is this a real, unaltered ID?" and "Is this the person it belongs to?" are two different questions. Most provider workflows collapse them into one visual glance.
3. Anchor insurance to biometrics, not cards. Cards are shareable. Faces with liveness are not.
4. Pre-gate telehealth sessions. Moving the identity check from during-call to pre-call recovers both security and provider time.
5. Re-verify providers on a schedule. A licence suspended in February that was last verified in October is a nine-month liability.

None of this is new technology. The components (document authenticity, biometric liveness, provider credential verification) are standard elements of the CredFlare Healthcare profile and are HIPAA-compliant by default. What is new is the willingness of healthcare providers to treat identity as infrastructure rather than a check-in clerk's responsibility. The 41% year-over-year growth in attacks suggests that shift is overdue.