I’ve spent a good part of my career talking about identity. 

Mostly, it’s been as a sales consultant. I’d sit with a customer, walk through their security risks, identify the gaps, and make a case for stronger authentication – often with a push for biometrics somewhere in the mix. I’m a true believer in facial authentication, but those discussions with customers can sometimes feel a bit theoretical – particularly when we’re talking about environments where I don’t spend that much time. Like hospitals. 

Recently, that changed for me.  

The Ease of Identity Fraud 

A few months back, I had to have surgery and saw firsthand how identity verification currently plays out in a hospital setting.  

When I arrived for check-in, I was asked a standard set of questions: name, address, social security number, and insurance coverage. I handed over my driver’s license. The nurse looked at my photo, looked at me, and said, “Okay. We’re good.” Just like that, I was cleared for medical treatment. 
The problem is that, with a decent fake license, someone else could have checked in for my surgery and had it billed to my insurance.  

This may sound unlikely, but it happens all the time—and at a staggering rate. According to a 2024 report from Javelin Strategy & Research and AARP, American adults lost $43 billion to identity fraud in 2023 alone.1 

Healthcare identity fraud, which represents a significant chunk of those incidents, presents unique challenges because the stakes extend beyond money. When a person’s identity is used to obtain medical services for someone else, the damage can haunt the victim long after the financial issues are resolved. Incorrect diagnoses, medications, allergies, blood types, and treatment histories can become attached to the wrong patient, creating risks that don’t exist with other forms of identity theft.   

Estimates place total healthcare fraud losses between $100 billion and $170 billion annually2, and just last year – in June 2025 – the DOJ announced its largest-ever healthcare fraud takedown, involving more than $14.6 billion in fraudulent claims.3 While not all those cases involved identity theft, they illustrate the scale of the fraud problem facing the industry. 

So when healthcare identity fraud happens, here’s how it plays out: The hospital performs the procedure. The claim gets submitted. Insurance processes it. And everyone assumes the systems worked – until the bill comes. 

Then, the person who is actually covered by the insurance says, “I never had that surgery,” but a lot of money has already been exchanged. The insurance company pushes back. The provider gets pulled into an investigation. Legal teams get involved. And now, multiple parties are spending even more time and money trying to figure out what happened and reach a resolution. All because the system trusted the wrong identity. 

Check-in isn’t the only place where identity matters. It follows patients from intake to imaging, from surgery to recovery, from billing to insurance claims. And at each step, the system assumes that the identity established at the front desk was correct. Once checked in, some providers go through the motions of patient identity verification in treatment rooms with a simple question, like “What’s your birthday?” All that does is confirm that the patient in front of them knows the birthday of the person they’re claiming to be. That’s a disturbingly low bar for establishing identity! 

What’s missing is a standardized way to establish and share a trusted identity across the entire healthcare ecosystem. Currently, a patient might verify themselves at a doctor’s office. The data is input into the system. But when they’re referred to a surgery center, sent for an MRI, or admitted to a hospital, that identity isn’t consistently and reliably vetted. Each facility is effectively starting from scratch – checking the same ID and making the same fallible judgment call. 

A Better Model 

Think about how programs like airport trusted traveler systems work. Before you ever step into a security line, your identity has already been carefully verified against government-issued documents. Once you’re in that system, you’re not proving who you are each time you pass a checkpoint; you’re simply confirming that you are the same person tied to that trusted identity. And then, to make the process faster and more convenient, a growing number of airports are using facial authentication to automate the process. 

So what would it look like if healthcare started treating identity with the same rigor as other industries – like air travel, finance, or border control? 

It would start with establishing a vetted identity. At some point in the patient journey, whether it’s during registration with a provider, through an insurance onboarding process, or via a trusted third-party verification service, an individual’s identity would be confirmed against authoritative documents. Not just glanced at, but validated like when you register for a trusted traveler program. This means presenting a passport. Real ID. Possibly other types of records or documents. And answering questions that only you would know.   

This process may be a bit time-consuming, but it only needs to happen once. After the person is carefully vetted, they receive a secure digital identity that can be trusted across the entire healthcare ecosystem. It includes a biometric identifier, such as an encrypted facial template. This template is a compressed map of an individual’s facial geometry represented as a string of positioning data points. It is not a photo, nor is it data that can be reconstructed into the original face image. Templates are stored securely on the healthcare organization’s server, in the cloud, or remain solely in the possession of their owners – on each user’s smartphone or card. 

In practice, a system like this would not be delivered by a single technology provider. It would be implemented in collaboration with the hospital’s IT team and third-party providers, using Suprema’s biometric devices and APIs as part of a broader digital identity strategy. 

Now, when patients arrive at the hospital, imaging center, or specialist’s office, they don’t have to prove who they are. By presenting their vetted identity and face to a biometric reader, the system can immediately perform a match and verify that they are the same person. Once logged in, they need only their face to continue verifying their identity as they move between departments and receive treatment.  

Why Facial? 

Fingerprint biometrics have already been adopted in many healthcare environments. They do strengthen patient identification but fall short in several important ways. 

In a clinical environment, any solution that requires touching shared surfaces raises hygiene concerns. Touchpoints are a problem among healthy populations. They pose an even greater threat among those who are ill or immunocompromised – a large percentage of the hospital population. Ideally, each reader should be cleaned between uses – a requirement that’s completely unrealistic. Fingerprint authentication can also be slow. Patients must place their finger, hold it still, and try again if it doesn’t read.  

Facial authentication is different. Seamless. An identity can be verified within a fraction of a second – even if the patient is wearing a mask. There’s nothing to touch or clean. And when identity verification is that easy and convenient, it can happen more often throughout the patient's journey. 

The benefits extend well beyond patient identification. Medical personnel can seamlessly access sensitive areas like operating rooms, intensive care units, and drug dispensaries. IT staff can better control contractor access to data centers and critical infrastructure. And HR can use facial authentication to simplify and harden its time and attendance systems. In other words, the same trusted identity can support both patient safety and operational security. 
 

The Good News 

When you started reading this post, you might have assumed I was going to tell you that I was the victim of medical identity fraud. I wasn’t. 

Everything about my experience went as planned. And as far as I know, the billing has been accurate – at least so far. But I can’t stop reflecting on the fact that at no time, throughout my care, was I required to definitively prove that I was who I claimed to be. Everyone assumed I was honest. Not all patients are. 

The good news is that healthcare systems can now start doing a better job. We already know what a stronger model looks like, and we have the technology to support it. Suprema’s facial authentication solution, BioStation 3, offers on-prem, cloud, and decentralized Template-on-Mobile credential storage options and flexible edge devices that can read not only faces, but cards, mobile, and QR codes. Reach out to learn how our solutions can help your organization improve patient identity verification, reduce fraud, and save a whole lot of money in the process.