When identity theft happens in hospitals or medical offices, money may be the least of the victim's worries.

Health insurance identification and other medical records are stolen about 250,000 times a year nationwide in an offense believed to be rising, according to experts Wednesday at a state summit in Burbank on identity theft and cyber safety. The records may be used so the thief can have a surgery at someone else's expense or as tools employed by an organized crime ring to get thousands, even millions of dollars in false medical claims.

The insurance company, Medicare or Medi-Cal ends up absorbing the majority of the financial costs, said Pam Dixon, executive director of the World Privacy Forum. But a victim's medical history can be fatally wounded.

An Arizona man's records were stolen and now show that he has HIV and diabetes though he has neither condition, Dixon said. He can't get a copy of the records, much less change them.

"The harm can be extraordinary," Dixon said.

In a nation beset by somewhere between 8 million and 15 million identity thefts a year, stolen medical records comprise only about 3 percent of the crimes. But the high cost of healthcare means criminals can gain huge profits while placing their victims at incredible risk, Dixon said.

She told of a California woman whose insurance card was stolen by her sister. The victim ended up getting the wrong antibiotic.

"She nearly died," Dixon said.

Often, the crimes involve an employee who has access to records and sells them, Dixon said. The buyers start cautiously. They send false bills to insurers for $60 or $70 charges for ongoing conditions like diabetes or cancer. Upon finding the gold mine of claims that go unchallenged, they send as many bills for as many people as they can.

Hospitals and clinics fight many attempts to correct falsified records information or to provide copies because of federal laws designed to protect the patient's records, Dixon said. They argue that because the information has been changed and now belongs to someone else, the victim doesn't have access to it.

But Jim Lott, executive vice president of the Hospital Association of Southern California, called Dixon's claim "absolutely false."

He said medical identity theft is very rare, but when it happens, hospitals and doctors will provide victims with copies of the record and correct any errors.

"It requires some research and work done, but there's no problem in sorting it out," he said.

Insurance companies, hospitals, doctors and others can reduce the risk of identity theft by restricting access to records, said Sharon A. Anolik, director of corporate compliance and ethics at Blue Shield of California.

They can limit the offsite use of laptops and make it impossible for employees to "pod slurp," meaning downloading files onto portable storage units.

Healthcare companies should hire consultants to assess their privacy and security policies, Anolik said. They should have strategies for how to handle incidents.

"Every institution will have an incident," she said.

Some providers deal with the risk of medical identity theft head-on and flag suspect records or extract false information from a file without destroying it, Dixon said.

"You call some hospitals, and they say we've never heard of this," she said.

The Cyber Safe California Summit was sponsored by state departments including the Office of Privacy and Protection.

Consumers were told not to give out their Social Security numbers, to use cross-cut shredders to destroy personal information and to regularly update anti-spyware and other software that protects their computers.

And don't use debit cards that can be used like credit cards without inputting personal identification numbers. Credit cards are protected better by federal law, and money stolen from debit cards is much harder to recover.

"You have to beg for that money back," said Mari Frank, a lawyer and privacy consultant. "It's such a hassle, just don't even use them."