Shining a new spotlight on health data breaches, the Federal Trade Commission recently posted a frequently asked questions guide to medical identity theft for health care providers and insurers. Medical identity theft occurs when one person obtains health care services or prescription drugs using the identity of someone else, or when those working in a health care provider setting use an individual’s personal information to submit false bills to an insurer. People victimized by medical identity theft often realize the theft has occurred when they get a bill for a service they did not receive, are contacted by a debt collector for medical bills for services thy never obtained or from doctors they never saw, or are denied insurance because their records are incorrect. The guide makes clear that if a patient reports being a victim of medical identity theft, providers and insurers are expected to conduct an investigation and correct any incorrect information, follow the applicable rules of the Fair Credit Reporting Act, review their data security practices, and provide notification as required under HIPAA or other federal or state security breach notification laws. The guidance for health care providers and insurers follows on guidance posted last month for consumers on how to prevent and detect medical identity theft.