← Back to Blog

Stop Asking Me to Prove I'm Me

Why Healthcare Verification Is Broken—and Dangerous

January 2025

Let Me Paint the Scene

I get a text message from St. Luke's.

It says: "Pay your bill."

That's it. No context. No receipt. Just a link.

And to access anything meaningful—like why I'm being charged or what the charge is for—I have to hand over my date of birth and last four of my SSN.

You know what that sounds like?

A scam.

"Who's Verifying Who?" – An Abbott & Costello Sketch

So naturally, I called the number on the text. What followed was pure Abbott & Costello—only instead of "Who's on first?" it was "Who's verifying who?"

Me: Who is this?

Rep: I can't tell you until you verify who you are.

Me: I can't verify who I am until you tell me who you are.

Rep: Perfect! Just give me your Social Security number.

Me: To WHO?

Rep: To your healthcare provider.

Me: Which one?

Rep: I can't tell you.

Me: Why not?

Rep: Privacy.

Me: You won't tell me who you are... for MY privacy?

Rep: Exactly! We take your privacy very seriously.

Me: By asking for my Social Security number?

Rep: Yes, to protect your privacy.

Me: From who?

Rep: From unauthorized people.

Me: Like you?

Rep: No, I'm authorized.

Me: Says who?

Rep: I can't tell you that until you verify.

Me: ...I'm hanging up.

Abbott and Costello style cartoon showing healthcare billing representative at desk with verification process sign, saying 'Who are you?' and 'We can't say until you say who you are.'

The verification paradox: "Who are you?" - "We can't say until you say who you are."

And that, ladies and gentlemen, is healthcare "security" in 2025.

The rep couldn't—or wouldn't—prove who they were until I proved who I was. Using information that scammers actively hunt for. Information that's been leaked in dozens of breaches. Information that proves nothing except that I know… my birthday.

I didn't start this conversation—you did! And yet somehow, the burden of proof is entirely on me.

The Burden of Proof Is on the Patient—and That's Backwards

In every other industry—banking, tech, e-commerce—companies work hard to earn your trust before asking for sensitive information.

But healthcare?
It's still operating like it's 1998.

You're expected to hand over PII to access more PII…
Without knowing if the sender is even legit.

And here's the kicker: in today's world, you're being scammed using the same tactics your provider uses. Good luck telling them apart.

Healthcare Data Is a Prime Target—and Easy Pickings

Medical data is some of the most valuable data on the dark web.

  • Healthcare organizations are high-value targets and often have weak verification flows
  • Patients are stressed, distracted, and in many cases not tech-savvy
  • The stakes are high—missed bills can go to collections, insurance denials can be financially devastating

It's a perfect storm. And attackers know it.

Which is why the "pay now" link you get in your inbox could just as easily be from a criminal as your doctor's office.

Asking for PII to Unlock PII Is a Logical and Security Disaster

Let's call it what it is:
Circular reasoning, or the begging the question fallacy.

"If you're really you, prove it by giving us the very data we're supposed to be protecting."

It's a flawed loop:

  1. You give them sensitive data to prove your identity
  2. But that data is your identity
  3. So if someone else has it—which is entirely likely—they can impersonate you just as easily

It's like asking someone to unlock the vault… using the vault key that's taped to the outside of the vault.

Let's Flip the Script: Providers Need to Verify Themselves

Here's what should happen instead.

Before asking for anything sensitive, providers should:

  • Reference a specific visit or named clinician – "Following up on your 1/10 visit with Dr. Smith"
  • Provide a verifiable domain or branded link – No sketchy short URLs or generic payment portals
  • Include a one-time code sent to your known contact – Multi-factor verification that only you have
  • Offer multi-channel confirmation – Email and SMS with matching context, not just one mystery link
  • Never treat date of birth or SSN as "secret questions" – This data is already compromised for millions of Americans

Put simply: verify yourself before asking me to trust you.

Zero Trust Shouldn't Just Be for Networks—It Should Be for Patients

If we expect patients to adopt a "zero trust" mindset, then healthcare systems need to play by the same rules.

That means:

  • Clear provenance – I should be able to verify this came from you
  • Consistent branding – No generic "healthcare billing portal" nonsense
  • Smart authentication – Use app-based verification, device trust, or secure portals with proper session management
  • No lazy shortcuts – Stop using DOB + SSN like it's a password

Because sending a mystery link and asking someone to type in their personal details isn't "secure by design."
It's security theater.

Let's Make It Easier to Trust—and Harder to Exploit

This isn't just a security problem.
It's a user experience problem.
It's a trust problem.
It's a patient safety problem.

If you want my trust (and my payment), don't make me do the detective work.

Don't make me wonder if clicking this link will result in identity theft.

Don't put the burden of verification on the patient when you're the one asking for sensitive information.

Final Word

Healthcare leaders:
You wouldn't accept this kind of interaction from your bank.
So why are you subjecting your patients to it?

Let's fix this.
Let's flip the verification model.
Let's stop asking patients to prove they're real… by giving up the very data criminals are hunting for.

🔐 Trust is earned. Start earning it.

About the Author: Mark Dorsi is a CISO, cybersecurity advisor, and patient advocate who believes security should empower users, not exploit them. With over 20 years of experience building security programs that respect human dignity and user agency, he advocates for systems that make trust easy and exploitation hard.

← Back to Blog