Lock down your devices & accounts
Start by hardening the basics: use a password manager to create unique 16-character passwords for every account, especially your patient portal. Turn on multi-factor authentication everywhere, ideally using passkeys or a hardware key rather than SMS codes. Keep devices up to date, enable full-disk encryption, and require a biometric or long passcode on the lock screen. Avoid logging in over public Wi-Fi; use cellular or a trusted VPN, and be suspicious of links or attachments that ask for credentials. These habits block the most common attacks before they ever reach your medical data.
Turn on multi-factor authentication everywhere, ideally using passkeys or a hardware key rather than SMS codes.
Be intentional with portals, apps, and wearables
Your data often flows through portals, mobile apps, and wearables, so be selective about what you connect. Only connect apps you truly trust, and review permissions quarterly; your portal password may protect far more than you realize. Prefer secure in-app messaging over email for records, and when exporting, share only the minimum necessary files. If you use wearables or third-party health apps, read their privacy policies for data sharing with advertisers or data brokers and opt out where possible. When in doubt, keep sensitive files offline or store them in an encrypted container.
Only connect apps you truly trust, and review permissions quarterly; your portal password may protect far more than you realize.
Use your rights with providers and insurers
With providers and insurers, exercise your privacy rights rather than assuming sharing is automatic. You have HIPAA rights to access, correct, and get an accounting of who saw your records—use them. Ask for the “minimum necessary” standard when staff request broad releases, and if you pay a bill out-of-pocket in full, you can request that visit not be shared with your health plan. Set a communications preference (secure portal or verified phone), add a PIN for phone lookups, and request electronic copies instead of physical media that can be lost. If your portal supports it, review audit logs to see recent access, and request a correction if you spot errors that could be reused widely.
You have HIPAA rights to access, correct, and get an accounting of who saw your records - use them.
Plan for breaches and ongoing monitoring
Assume a breach will happen somewhere and prepare to limit the fallout. Place free credit freezes with Equifax, Experian, and TransUnion, and add a fraud alert if you think your identity was exposed. Monitor explanation-of-benefits and portal notifications for any unfamiliar provider, prescription, or claim and report fraud immediately. Keep offline backups of critical documents, maintain a list of your providers and portals, and create an emergency plan that a trusted person can access. If you receive a breach notice, use official FTC guidance for identity theft recovery and push for credit monitoring if offered.
Place free credit freezes with Equifax, Experian, and TransUnion, and add a fraud alert if you think your identity was exposed.