Go to AAD Home
Donate For Public and Patients Store Search

Go to AAD Home

A virus like no other

How to protect yourself against identity theft.


By Ruth Carol, Contributing Writer, January 1, 2024

Banner for a virus like no other

Dermatologists are high achievers. That serves them well when it comes to graduating from medical school, persevering in residency, and practicing dermatology. It doesn’t serve them well online where scammers use malware, including viruses unlike any of those in the medical literature, and other means to steal their identity.

Physicians are one of the most vulnerable groups for identity theft because they are high-income earners who tend to have larger data footprints than the average professional, according to LifeLock. Persons in households earning $200,000 or more annually had the highest prevalence of identity theft, per the latest U.S. Department of Justice figures. Individuals with a higher education — as in a college or post-graduate degree — are 10% more likely to be targeted by scammers, reports the AARP (formerly the American Association of Retired Persons).

High earners are big targets because people with more money engage in more transactions, which increases the opportunity for data compromise, noted Jim Van Dyke, senior principal and head of innovation for TransUnion, which owns IdentityForce. Although anyone can be a victim of identity theft, “affluent wealthy” individuals typically have excellent credit and access to information without a criminal background, making them a very attractive target for fraudsters, according to Henry Bagdasarian, founder of the Identity Management Institute.

“Physicians are well-to-do, not necessarily that tech savvy, and have access to a wealth of information that scammers would like to obtain,” said Abhishek Karnik, senior director of threat research at McAfee. “It’s important when you’re in this type of position of responsibility that you take security seriously for yourself and others,” he added.

Data Privacy & Protection Day is Jan. 28 — the goal of which is to raise awareness about the importance of protecting one’s privacy online. This month, DermWorld offers advice from experts on how to prevent identity theft and what to do if one falls prey to it. Next month, DermWorld will explore how to protect your practice and patients from cyberattacks.

What is identity theft?

Identity theft is when someone uses your personal or financial information without your permission. Identity thieves might steal your name and address, credit card, or bank account numbers, Social Security number, or medical insurance account numbers. They could use them to:

  • Buy things with your credit cards

  • Get new credit cards in your name

  • Open a phone, electricity, or gas account in your name

  • Steal your tax refund

  • Use your health insurance to get medical care

  • Pretend to be you if they are arrested

Source: Federal Trade Commission


In 2022, more than 1.1 million reports of identity theft were received through the FTC’s www.IdentityTheft.gov website. Consumers report losing nearly $9 billion to scams, including identity theft, which represents an increase of more than 30% over the previous year.

Just how vulnerable is “vulnerable?”

Identity thieves have essentially two ways of obtaining a physician’s data, Van Dyke explained. In a direct attack, they may break into a system to steal information or access it through a business email compromise. These thieves will steal the data of all employees, partners, and patients. In 2022, 52 million patients were impacted by health care data breaches, he said.

The second way is buying the physician’s information on the dark web, where profiles of most every American are continuously populated with stolen personally identifiable information. This includes birthdays, Social Security numbers, passwords, account numbers, usernames, email and physical addresses, phone numbers, security questions, and network and mobile system information that is stolen in tens of thousands of data breaches each year, Van Dyke stated. “Cybercriminals prefer this method, as it’s quite a bit easier to log in to a system than to break into one,” he added.

In general, hospitals and large clinics have sophisticated, highly regulated cybersecurity controls that keep employee and patient data safe. But smaller offices, like dermatology practices, often rely on third-party managed service providers (MSPs) for such protection. The problem is that MSPs are fast becoming a favorite among today’s threat actors, Van Dyke noted. “Hack into one, and you potentially gain access to all their clients’ data files,” he said. The data are then brokered online.

In 2022, third-party breaches were responsible for approximately half of the 3,495 compromised entities, such as MSPs, according to IdentityForce’s most recent research. That figure represents a 45% increase over 2021, Van Dyke added.

Recently, scammers are beginning to use generative artificial intelligence (AI) technology to clone a person’s voice and repurpose it for a targeted attack, Karnik said. This only requires a one-minute snippet, or less, pulled from social media or a meeting presentation posted on a website.

Spotting identity theft

Signs of identity theft can vary. They include the following:

  • Unfamiliar charges on credit cards

  • Invoices, bills, or statements from unfamiliar accounts

  • Collection notices or calls from collection agencies

  • Unfamiliar account transactions on bank statements

  • Illegitimate activity on a credit report

Preventing identity theft

Practicing good digital identity hygiene can go a long way in preventing identify theft. Make sure to always use secure Wi-Fi and limit sharing information on social media, which is a great place from which to harvest information, Karnik said. It’s safer to use an organization’s Zoom or Teams channel because it has the right privacy security and settings as opposed to pushing information out on social media.

Passwords and beyond.

Creating a strong password is the first step in keeping one’s personal information safe online. Longer passwords are better; use 10 to 12 characters at a minimum, according to Kaspersky. Combine uppercase and lowercase letters, numbers, and symbols to create the password. The more variation, the more unpredictable the password will be. As an example, replace the first two letters of each word with numbers or symbols, use uncommon word combinations by rearranging the order in which they are used, or use unrelated phrases together, all of which will create a hard-to-decipher pattern. Use a different password for each account; reusing passwords compromises multiple accounts, the cybersecurity company suggests.

On the flip side, don’t use obvious character substitutes, such as a zero in place of the letter “O.” Nowadays, hackers code these into their software, according to Kaspersky. Avoid using common sequences (e.g., 12345 or qwerty) or common words (e.g., password). Don’t use obvious personal information, such as a nickname or initials, important dates, or names of children or pets. Update passwords regularly, Karnik advised. When using security questions, don’t use an appropriate answer. If the question is, “Where were you born?” instead of using “Chicago,” use “Sunscreen” as a response.

Multi-factor authentication offers an extra layer of security by requiring two or more credentials to log into an account. It could be in the form of a passcode sent via text message or an authentication app, or a scan of one’s fingerprint, retina, or face. Use two-step authentication for passwords, whenever it’s available, he said.

A virtual private network (VPN) hides users’ internet protocol (IP) address, letting them surf the internet anonymously and privately without the risk of having their identity revealed. It will turn off the internet when the connection is compromised, often referred to as a kill switch; protects against malicious users attempting to exploit the VPN connection, known as a firewall; and prohibits the service provider from collecting the users’ data.

A password manager is a program that generates and stores all passwords securely. It enables users to use unique passwords without having to memorize them all. When users visit a site, the program will automatically fill in their login name and password. Many companies that offer identify theft protection services will bundle such tools as a VPN, password manager, and secure app for a mobile phone, Karnik said.

Snail mail.

Mailboxes, which are typically unlocked, contain numerous documents with sensitive information, making them irresistible to identity thieves, Bagdasarian noted. Among them are statements from the bank, Social Security, employer, brokerage firm, and credit card.

To minimize the risk of scammers stealing the mail, secure the mailbox, Karnik suggested. Options include installing a mail slot cover or a tamper-proof or lockable mailbox. Pick up mail promptly and stop it when going on vacation or have a neighbor retrieve the mail. If mailing sensitive information, consider using certified mail so it can be tracked, he said. Better yet, go paperless when available, Karnik added. Invest in a shredder to shred old mail.

“Be on guard for fake billing statements that ask you to renew services you never signed up for, such as domain addresses and insurance,” Van Dyke said. Check logos to make sure they look legit and don’t overlook grammatical or spelling errors. Scammers sometimes send mail claiming to be from a government agency, such as the Internal Revenue Service, offering a refund but needs “filing information” first. When in doubt, go online to find the organization’s official website and make contact through the verified source, he said, adding, “The crooks are betting that you won’t invest the time to confirm that the communication is real.”

Email phishing.

Hackers usually impersonate a recognized and trusted brand to induce people to click on a link that will infect their device with ransomware and use that to steal data and even extort money. “We used to warn people to look for typos and grammatical errors in phishing emails,” Karnik said. But given the improvements in generative AI, it’s getting increasingly easier for scammers to create grammatically correct emails in any language. Instead, look for emails that generate a sense of urgency. For example, the email directs the dermatologist to click on a link to release a package from UPS or Amazon that is being held up.

Set up email inboxes to filter out spam and phishing mail, Van Dyke advised. Don’t click on a link provided in an email or text, or call a phone number provided in suspicious communication, he warned. Visit the organization’s official website and use the customer service number listed there. Confident the email is legit? To be sure, hover the computer mouse over the link to verify it is going where expected before clicking. Provide ongoing training to employees to keep them from falling for scams, as well, Van Dyke added. “In the last six years, we have seen more medical organizations being targeted by ransom groups,” Karnik said. They access information by a person opening a malware-ridden attachment.

Voice cloning.

Physicians should be mindful of where and to what degree their voice and the voices of their team members are available online and in the cloud, Van Dyke said. That means voicemails, personal videos on social media, webinars, customer service calls, and recordings of speaking engagements. “Protecting voice data now will go a long way toward keeping it out of the AI training models that will eventually proliferate online,” he noted.

Identity protection services vary

Many companies sell identity theft protection services that may include credit monitoring, identity monitoring, identity recovery services, and identity theft insurance, according to the Federal Trade Commission (FTC). These services also might be offered by a bank or credit union, credit card provider, employer’s benefits program, and insurance company.

Credit monitoring services scan activity that shows up on credit reports, the FTC says. They might monitor activity at one, two, or all three of the major credit bureaus — Equifax, Experian, and TransUnion. Credit monitoring services will send the physician alerts when lenders request a copy of their credit report, Van Dyke said. Some of these services also watch for redirected mail through the postal service, as criminals often change the physical address of a victim.

Identity monitoring services check databases that collect different types of information to see if they contain new or inaccurate information about the person, according to the FTC. This could be a sign that someone is using the dermatologist’s personal information. These services can detect uses of personal information that won’t show up on credit reports. Such services may monitor court records, dark web databases, payday lender files, and social media posts, Van Dyke said.

Identity recovery services help repair any damage caused by identity theft, the FTC states. They typically offer access to counselors or case managers who will help recover the physician’s identity. Some services will act on the dermatologist’s behalf to deal with creditors or other institutions.

Companies that sell monitoring services may also offer identity theft insurance, which may cover out-of-pocket expenses directly associated with reclaiming the dermatologist’s identity, lost wages, and legal fees, according to the FTC. It generally won’t reimburse the stolen money or financial loss resulting from the theft. “Recovering from financial and reputational damage is difficult in all circumstances, but having the help of a cyber insurer who offers incident recovery services can make it easier,” Van Dyke said.

Identity protection services range in cost from $30 a month to $60 a month, depending on what services are provided, Karnik said. Physicians may want to consider extending identity protection solutions to family members and employees. Identity protection is one of the fastest-growing employee perks, Van Dyke added.

Recovering from identity theft

Dermatologists who have recovery services should file a claim with their company. For those who don’t have identity protection services, www.IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims, providing checklists and steps outlining the recovery process.

Among them are freezing their credit. “That will make it more difficult for someone to get new credit or extend credit using their identity,” Van Dyke said. Dermatologists might want to freeze their credit and unfreeze it only when they apply for a loan or open a new line of credit, for example, to buy a home or car, Karnik said.

Dermatologists should contact the major credit bureaus and place a fraud alert on their credit report, so potential lenders know that their identity has been put at risk, Van Dyke added. Placing a fraud alert requires all creditors to contact the dermatologist to confirm and approve new accounts being open or changes being made to existing accounts, Bagdasarian said.

Dermatologists can check their credit at www.annualcreditreport.com for any discrepancies, Karnik said. He recommends reviewing one’s credit report every three months. It’s a “soft pull,” so it doesn’t impact one’s credit score, he said.

Dermatologists should contact the bank and credit cards, especially if any cards were stolen or unfamiliar charges were made, to let them know. The credit card company may cancel the cards and issue new ones. Be sure to change all passwords to financial accounts, social media, email, etc.

Finally, file a police report. “The first two hours are the most critical period,” Karnik said. “The sooner you identify the problem, the better chance you have of resolving it and not having to go through a long journey to recover your identity. Proving your identity is a lot tougher.”

It can take anywhere from several weeks to several years to recover one’s identity, depending on the extent of the fraud. Who has the time for that?

“The pervasive myth that some clinics are too small to be targeted for attack continues to surprise doctors when they fall victim,” Van Dyke concluded. “From the doctor’s personal finances to the clinic’s treasure trove of patient information, the valuable assets at the average clinic are too tempting for cybercrooks to ignore.”