Medical Identity Theft Goes High-Profile

New laws gain traction against elusive crime

June 2009


For years, the name Joe Ryan has been practically synonymous with medical identity theft. A pilot in Vail, Colorado, Ryan received a collections notice in 2004 for $41,000 in surgery costs from a Denver hospital. He had never visited the hospital in his life. Nevertheless, someone using his name and Social Security number received extensive treatment and stuck him with the bill. He spent the next two years teetering on the verge of bankruptcy, trying in vain to clear his name.

It was a story so nightmarish that Ryan was featured in a Reader’s Digest article on medical identity theft. Since then, however, there have been very few stories of actual medical identity theft victims in the media.

The crime has essentially remained the villain without a face, though we know what medical identity theft is: Fraudulently using someone else’s medical information to obtain drugs, medical services or income. And the risks of medical identity theft are as predictable as they are enormous—the use of a stolen identity to obtain surgery, for example, could result in both people receiving transfusions of the wrong blood type, possibly killing both.

However, the U.S. Department of Health and Human Services conducted a year-long study of medical identity theft. The main result of that study: Calls for more studies. “[A] large number of individuals and organizations are unaware of the issue of medical identity theft and the extent to which this form of identity theft exists,” the report asserted. Doctors, hospitals and consumers all see the trail the crime leaves behind: Stolen medical records, fraudulent calls for pharmacy prescriptions, patients receiving bills for surgeries that never happened (at least not to them). The Federal Trade Commission estimated that a quarter million Americans became victims of medical identity theft in 2006.

But health care experts and journalists across the country continued to ask: Well, where are they? If this is such a horrible problem, why can’t we see it?

Now, finally, the fog of mystery surrounding medical identity theft may be starting to lift. New federal laws soon may require doctors, insurers and hospitals to track and respond to medical identity theft, and to inform patients and customers whose personal information is compromised in a breach. One law also gives state attorneys general authority to enforce federal privacy regulations.

These new powers and responsibilities will give us new sources of information—breach notification letters, investigations, lawsuits—that will illuminate the scope and depth of the problem. Organizations including the World Privacy Forum, a nonprofit group that conducts research and consumer education about privacy issues, plan to produce reports soon that, their leaders say, will include detailed stories from victims and new statistics to illuminate the issue.

Meanwhile, big cases of brazen medical identity theft, like the hacker who recently demanded $10 million in return for the stolen records of 8.3 million patients, guarantee that media interest in medical identity theft will remain high.

“We’re way beyond the denial phase,” says Pam Dixon, executive director of the World Privacy Forum. “There may not be high quantifiability, but there is no lack of real cases here.”

Stick ’Em Up. Your Money or Your Data...
The ransom note was clipped and the punctuation clunky, the electronic version of letters cut from a newspaper:


There is no honor among thieves, apparently, nor grammar. The note was posted on the home page of the Virginia Prescription Monitoring Program’s web site.

To take Mr. Congeniality up on his offer, recipients were instructed to contact him at his email address. The thief claimed to have stolen patient information – which potentially includes names, addresses, birthdates, Social Security numbers, prescribed drugs, and prescriber and dispenser ID numbers – from a web site maintained by the Virginia government agency that tracks prescription drug abuse. The FBI and state police are investigating the case.

“This is a crime and it is being treated that way,” Gov. Timothy M. Kaine told news organizations.

If the thief makes good on his threat and sells the information on the black market, it could mean patients could be set up for any number of potential scams. The data could be re-sold to people looking to obtain free medical care and stick victims with the bill. The state uses the web site to track prescription drug abuse, which means the information might be used in further ransom schemes. According to a news report in The Virginian-Pilot, experts worry that thieves could use this information to obtain prescription drugs that have a street value and, in the process, potentially bar patients from legitimately obtaining their refills. The data also might be bought by doctors looking to fatten profits by submitting false insurance claims for procedures they never actually performed on victims whose info was compromised in a breach. 

While this is bad news for the 8.3 million potential victims, the story helped spread the news about the dangers of medical identity theft. That’s because the words “8 million victims” and “ransom” proved shocking enough to grab media headlines for medical identity theft, which is all too often left out of stories about health care fraud. “It’s a slow process of awareness building,” Dixon says. “Our greatest concern is that the victims of this crime have been largely forgotten.” 

The Virginia ransom case was an instance of wholesale identity theft, in which large numbers of records are stolen for profit. Another form of identity theft for profit is called “conspiratorial” medical identity theft, Ed Goodman, chief privacy officer for Identity Theft 911 LLC, says. In most conspiratorial cases, a doctor recruits people to pose as patients for medical services that may or may not be rendered. In either case, the doctor receives insurance payments for the care, and the “patients” receive kickbacks.

In other cases, health care itself is the goal, not money. The “classic” form of medical identity theft, Goodman says, involves a thief stealing someone else’s medical information to obtain care.

A variation of this is familial theft, a consensual crime in which someone “lends” medical data to a family member or friend, who uses it to obtain care.  “Frankly, with a broken economy and health care system, the motivation to seek medical care under someone else’s insurance is great since anybody without coverage is facing financial ruin,” Goodman says. “If you obtain the information of someone who has good coverage, why not?”

Two new federal laws seek to mitigate the problem. One is the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, passed by Congress in February 2009. The law is sweeping in scope, but can be simplified into two parts. The first, as part of the larger economic stimulus packages recently passed by Congress, HITECH offers reimbursements for doctors who pay to convert their medical records into electronic files.

“In five years, every doctor in every hospital will use electronic medical records and be able to exchange data,” John Halamka, chief information officer for Beth Israel Deaconess Medical Center in Boston said in comments to the media in January. “It will take an immense amount of work. And the doctors will work a little harder and lose productivity in the beginning, but in the end quality will improve and costs will go down.”

Among people who care about medical identity theft, this is cause for moderate concern. “Doctors’ offices have such high overhead that they don’t always have the most up-to-date computer or malware systems,” says Goodman. “I think they’re seriously at risk for a data breach.”

The sheer number of physicians expected to participate also worries privacy advocates. 

“This Virginia hacker incident really highlights that having thousands of access points to electronic medical records is potentially quite dangerous,” says Dixon.

The second part of the HITECH Act imposes the first federal breach notification requirements on doctors, insurers and hospitals, who previously were subject only to the differing notification requirements of various state laws. In addition to helping people discover that they’ve been exposed to the risk of identity theft and to begin taking steps to fix the problem, this requirement could give us a treasure trove of data about medical identity theft, because notification letters will explain how the breaches happened.

The medical industry accounted for nearly 15% of recorded data breaches in 2008, more than that of the financial/credit sector, which was responsible for nearly 12% of recorded breaches last year, according to the Identity Theft Resource Center, a nonprofit organization that provides identity theft resolution and education.  The other exciting provision of HITECH is that it gives teeth to the Health Insurance Portability and Accountability Act (HIPAA), which included extensive rules regarding protection of patient privacy when it was passed by Congress in 1996, but contained no provisions for enforcement. HITECH finally changes that, empowering state attorneys general to investigate and prosecute medical identity thieves. That will mean even more public documents exposing the methods of medical identity theft. It also could mean a belated return on investment for physicians. 

“Doctors spent a good amount of money to become HIPAA-compliant, and nothing ever happened because for 11 years there was never any enforcement,” Goodman says.

The cause of fighting identity theft also may be advanced by the new Red Flags rules, required by Congress in 2003 as part of the Fair and Accurate Credit Transactions Act (FACTA). According to the rules, any company that accepts deferred payment for services or goods must identify the red flags, or warning signs, of identity theft that they might encounter in their business. Companies must develop protocols for detecting those warning signs, and decide in advance how they will respond. 

There remains a brewing argument between the Department of Health and Human Services and the American Medical Association over whether the Red Flags rules should apply to physicians and hospitals. The AMA maintains that the medical community was not given enough time to comply, and that hospitals and physicians should not be covered under the rules because they are not actually creditors.

The federal government has responded with two consecutive postponements in the compliance deadline. But so far regulators have insisted that “the plain language of the statute covered all entities engaged in the provision of credit... and does not permit industry-based exclusions,” according to a letter from the DHHS to the AMA. 

It appears likely, therefore, that physicians and hospitals eventually will be required to draw up plans for how to spot and respond to identity theft. This may lead to improved detection, and hopefully will make it more difficult for medical identity thieves to get away with the crime. Since enforcement will only happen after the fact, presumably in response to a particularly large or malicious data breach, the Red Flags rules may eventually give us a window into large-scale medical identity theft operations, and which internal controls prove particularly ineffective at stopping them.

There is still much we don’t know about medical identity theft. Is it more common within families or peer groups, where one relative or friend “borrows” the identity of another to obtain medical treatment? Or is wholesale, large- scale, for-profit fraud becoming more popular as identity thieves discover new ways to steal medical records?

And once a consumer discovers that erroneous health information has worked its way into his file as a result of medical identity theft, how can it be corrected? That may have been a simple task two decades ago, when most medical records were held primarily by personal physicians. Now that files are spread across the databases of multiple service providers, insurance companies and subcontractors, however, it’s become increasingly difficult to keep dangerous and erroneous information out of medical records. 

Identity theft victims’ advocates argue that medical records should be treated the same as credit reports, which consumers have finally won the right to inspect for errors. But so far, the issue has not been taken up by state or federal lawmakers. 

“Patients don’t have the right or the opportunity to correct false information in their medical file,” Goodman says. “After an error is made, correcting it is a nightmare.” 

But the good news is that the United States is starting to get traction in the fight against medical identity theft. New laws, new investigations and more headlines about outrageous breaches may finally help Americans realize that their privacy, and their lives, are in danger. 

“Boy, we’ve got some problems to solve,” says Dixon. “But before we can solve the problems, we have to acknowledge them.”