Download a PDF of the Current Issue 2015 Volume 12 Number 3 July- September

Preventing Medical Identity Theft

Jan Rebstock, RHIT, LHRM, CPHRM
6-4-1 As telemedicine and electronic patient records (EHR) become more commonplace, so does the threat and incidence of security breaches by hackers and attackers. The transition to electronic health records is a national priority under the HITECH Act and while the EHR is expected to improve timely health care, and prevent medical errors, it also exponentially increases the opportunities for medical identity theft. The Federal Trade Commission estimates that 250,000 to 500,000 people have been victims of medical identity theft since 2003.1   Whether for the purpose of general or medical identity theft or other fraudulent intent, large complex data bases are attractive to cybercriminals and inside perpetrators because the crime is often easier to accomplish, the numbers make it more lucrative and it ‘s harder to detect.   What is Medical Identity Theft?   Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity such as insurance information without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. 1   Medical identity theft is also more lucrative than general identity theft; a stolen Social Security number is estimated to have a street value of $1 per identity while stolen medical identity information averages $50 per identity. 3   The potential negative impact of medical identity theft is significant and broad-based for both patients and providers. Perhaps one of the most harmful ramifications is the fraudulent alteration of a patient’s medical information which could result in a patient receiving the wrong treatment and having a deadly outcome. To make matters worse, these kinds of errors are not easily discovered as many patients do not have copies of all their medical records and may not become aware of a problem until they have a reason to scrutinize them. Even when medical identity theft is discovered, it is extremely difficult to correct erroneous information that may have already been released to other medical providers, medical clearinghouses or insurers. Additionally, victims can be faced with credit card harassment by debt collectors, loss of or difficulty finding employment, denial of insurance and even wrongful allegations of criminal activity. Providers are also victims, perhaps having to return money to insurance companies, face potential litigation and civil penalties as well as deal with negative press and consumer confidence.   Some examples of Medical Identity Theft 4,1:  

◆ One week after a woman’s child was born, she received a bill for $94 from an unknown clinic in the name of her newborn son where the painkiller Oxycontin had been prescribed for the infant’s work-related back injury.

◆ Another mother of 4 was notified by a social worker that her baby tested positive for methamphetamines and as a result, the state planned to take away all of her four children. The mother hadn’t been pregnant for 2 years but her stolen driver’s license had ended up in the hands of a meth user who gave birth

◆ using the mother’s name. Despite hiring a lawyer to sort out the damage to her legal and medical records, the records had been circulated electronically and the mother’s record contained the thief’s blood disorder and emergency medical contact number.

◆ One woman was surprised to have her insurance company reject her claim for a $189 gynecological visit and found that another woman had already used her name to pay for the one allowed annual checkup.

◆ A Pennsylvania man discovered that an imposter used his identity at five different hospitals to receive more than $100,000 worth of medical treatment.  At each hospital, the imposter created medical histories in the victim’s name.

◆ An office coordinator at a Cleveland clinic in Florida printed out 1,100 patient records, then sold them to her cousin for $5-$10 per patient.

◆ A Colorado man had his medical identity stolen by a man who received multiple surgeries in his name. The victim did not have insurance and lost property and his business as a result.

  Suggested Facility Prevention Strategies:

◆ Perform regular facility assessments, testing and surveillance of technology security

◆ Regularly evaluate and update data encryption, firewalls and intrusion detection programs and systems

◆ Include information about medical and other identity theft in new hire and annual employee educational training programs

◆ Assess the placement, accessibility and visibility of computer monitors, fax machines and medical records

Suggested Individual Prevention Strategies:  

◆ Secure personal information in your home and shred documents that contain confidential information such as your health insurance ID number or social security number instead of throwing them in the trash

◆ Read explanations of insurance benefits of treatment received for accuracy

◆ Exercise your right to a free annual copy of your credit report from the three major credit bureaus and review any unpaid medical bills

◆ Observe your surroundings when providing/ displaying insurance or other personal identifying information

◆ Maintain an up to date copy of your medical records

◆ Do not give personal identifying information to telemarketers or door-to-door solicitors

  Some actions you can take if you are a victim of medical identity theft:  

◆ Place a fraud alert on your credit report by calling the toll free numbers for any of the three consumer reporting companies; TransUnion1-800-680-7289, Equifax-1-800-525-6285 or Experian-1-888-397-3742.

◆ Notify the police and complete an identity theft report

◆ File a complaint with the State Attorney General’s office, State Insurance Department and the Identity Theft Data Clearinghouse operated by the Federal Trade Commission

◆ Notify your health care providers and demand that providers or insurance companies correct erroneous information or append and amend records to alert users to inaccurate content.

◆ Notify your health insurance company

  Preventing medical identify theft requires a multifaceted organizational approach to ensure that adequate technical, physical and individual security safeguards, policies and procedures are in place. While data networks may help tie the world together, those ties need to be strong enough to prevent or at least deter information crimes.   For more information log on to UF’s privacy site: http:// privacy.ufl.edu/identity/how.html or Shands Privacy site: https://my.portal.shands.ufl.edu/portal/page/portal/ DEPT_CONTENT/DEPT_CORE/Legal/Privacy and HIPAA   References: 1. Medical Identity Theft: The Information Crime that Can Kill You, Pam Dixon, World Privacy Forum, May 3, 2006   2. Medical Identity Theft Final Report, Booz,Allen,Hamilton   3. “Mitigating Medical Identity Theft.” Journal of AHIMA 79, No. 7 (July 2008): 63-69   4. http://www.msnbc.msn.com/id/23392229/from/ET/   5. http://www.creditcards.com/credit-card-news/how-toprevent-medical-id-identity-theft-1282.php   6. Preventing and responding to medical identity theft, Geraldine Amori, Ph.D., DFASHRM, CPHRM, ARM,  Journal of Healthcare Risk Management,Vol. 28 No. 2 P. 33   7. http://myfloridalegal.com/idkitprintable.pdf   8. http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm