Medical Identity Theft: Unhealthy Procedures

Imagine Linda Weaver's shock in 2007 when she received a hospital bill for the amputation of her right foot. She didn't need to look down at her two intact feet to know that this was bunk.

She soon discovered an identity thief had stolen her Social Security number (SSN) and insurance identification number. Posing as Linda Weaver, the fraudster had the costly amputation performed. To make matters far worse, Weaver later found that the thief's medical information was merged into her medical file. Her medical chart now listed her as having diabetes – the criminal's condition, not hers.

Just think of all the life-threatening complications she or anyone else in this situation could potentially face. The wrong blood type listed in the file, not documenting a heart condition, and allergies or intolerance to certain medication can result in trauma or death. "I now live in fear that if something ever happened to me, I could get the wrong kind of medical treatment," said a clearly troubled Weaver in the article, "Diagnosis: Identity Theft," by Dean Foust in the Jan. 8, 2007, issue of BusinessWeek.

As more health records are computerized and made available to medical providers on the Web, more data breaches and medical record compromises will occur.

The U.S. Federal Trade Commission (FTC) in its pamphlet, "Fighting Back Against Identity Theft," defines medical identity theft as occurring "when someone uses your personal information without your knowledge or consent to obtain, or receive payment for, medical treatment, services, or goods. Victims of medical identity theft might find that their medical records are inaccurate, which can have a serious impact on their ability to obtain proper medical care and insurance benefits."

The FTC's 2006 Identity Theft Survey Report provided key findings on medical identity theft. Three percent of all identity theft victims indicated that a fraudster had obtained medical treatment, services, or supplies using their stolen personal information. That translates to approximately 250,000 victims for calendar year 2005.

Anyone who receives medical care can potentially become a victim, however, "people 50 and older are at the greatest risk because they often have some kind of government-issued insurance, such as Medicare or Medicaid," states Pam Dixon, executive director of the World Privacy Forum, in the article, "Stealing Your Health," by Sid Kirchheimer in the September 2006 issue of the AARP Bulletin. The World Privacy Forum is a nonprofit research and consumer education organization that closely monitors medical identity theft.

IT'S OFTEN AN INSIDER 

The Social Security number, the key to our financial vaults, is also commonly our medical identifier, which creates another avenue for identity theft. Stolen resumes sell for about 7 cents on the black market, but pilfered medical records bring $50 to $60 each. There's a gold mine of valuable data inside medical files in doctors' offices, hospitals, and clinics everywhere. The crook who steals your medical identity often isn't some dumpster diver or ingenious hacker, but a trusted health-care worker.

"We have the anecdotal information that [medical identity theft] is increasing," said Dixon in the article, "Medical Identity Theft Is Often an 'Inside Job,'" by Beth Wilson in the March 3, 2008, American Medical News. "We do see some of that when someone steals a wallet or they steal someone's name. That does happen. But the preponderance of cases are happening from insider jobs."

These nefarious insiders have easy access to the information. While the HIPAA Privacy Rule requires both limited access to medical records and data safeguards including securing records with lock and key or pass codes, insider fraudsters might be able to defeat these security measures. In fact, recent history confirms that safeguards don't always work.

A patient coordinator at a clinic in Weston, Fla., stole medical data on approximately 1,130 patients and sold the information to her cousin, according to the article, "Medical ID Theft: Spreading the Pain," by James Quiggle in the fall 2007 issue of Fraud Focus. Both were eventually arrested and convicted.

Criminal rings also see the value in medical information; they've been known to set up fake clinics in an effort to obtain patient information for use in health-care fraud and identity theft. In one case, they lured elderly Medicare patients to a clinic near San Jose, Calif., "by offering free transportation, a nutritional supplement and skin oil," according to Quiggle's Fraud Focus article. He reported that phony doctors performed superficial examinations on the victims and then submitted fraudulent medical claims in their names to the tune of more than $1.1 million.

Medical files aren't the only source of personal information sought by fraudsters. Patient wristbands, used during hospital stays, may contain SSNs and other identifying data. A few years ago I had surgery and was given a wristband. Although the hospital didn't place my SSN on the band, it did include my full name and date of birth.

During hospital stays, patients also will leave wallets and purses containing personally identifiable information (PII) in hospital rooms, which leaves them completely vulnerable to theft.

THEFT AND FRAUDULENT USE OF PHYSICIAN NAMES AND LICENSES 

Identity thieves have resorted to the theft of physicians' names, medical license information, tax identification numbers, and other related information to defraud various state and local medical service programs.

In December 1999, the California attorney general and California Department of Health Services reported the defrauding of the California Medi-Cal Program. The Medi-Cal Program provides basic health-care services for California residents who are poor, disabled, elderly, or otherwise qualified. According to the California attorney general, this scheme resulted in fraud losses of more than several million dollars. The identity theft worked in this way:

• Criminals fraudulently obtained doctors' names, copies of their medical licenses, and other PII from the doctors' hospital personnel files.
• The fraudsters then applied to the Medi-Cal Program and obtained new provider numbers in the names of the victimized doctors. The fraudsters would claim that the doctors had moved and provide new addresses where future payments should be sent.
• The identity thieves then forged the doctors' names on claim forms for medical services never performed and submit phony bills to the Medi-Cal Program. Medi-Cal unwittingly would pay the doctors.
• When the criminals received the payments, they forged the true doctors' signatures on the checks and negotiated them.
• The Medi-Cal Program generally had no idea this fraud was occurring. Even a reporting tool that should have caught this fraud failed: Medi-Cal later mailed the 1099 tax forms, that documented payments to participating providers, to the addresses that the fraudsters provided.
• Fraudsters also falsely received Medi-Cal benefits via the stolen identities.

California put new procedures into place to prevent this fraud, including increased scrutiny and review of all new requests for provider numbers and changes of address. As a further internal control, original providers were contacted to verify they had actually submitted a request for a new payment location. Doctors were told to protect their license information by placing a recommended statement on any copies of their licenses provided to hospitals or others: Copy Provided for Use by (name of hospital/clinic) Only. Another recommendation was for hospitals and other medical providers to place their business stamps on all file copies of physician licenses.

The enhanced focus on prevention and prosecution paid off in just a few months. In July 2000, six suspects were arrested in Los Angeles in a large Medi-Cal fraud and identity theft scheme. According to a California attorney general's July 6, 2000, press release, the suspects allegedly purchased "physicians' medical licenses and identification from Los Angeles-area hospital employees in a sophisticated fraud, identity theft, and money laundering conspiracy."

The suspects then were believed to have created phony businesses and opened mail drop boxes to receive the payment checks from the state. They opened bank accounts using fraudulent identification documents in the names of the victimized doctors to cash the state payment checks. Also, the suspects were accused of having laundered the stolen proceeds through the business of a co-conspirator. The attorney general said at the time that "schemes such as this one victimize not just the taxpayers, but also patients and medical doctors. Seven physicians and more than a thousand patients had their identities stolen, and it has resulted in well over a million dollars in fraudulent claims being paid by Medi-Cal."

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 

The 1996 U.S. Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum Act, is sweeping legislation that has had enormous impact on health-care providers and patients. HIPAA covers everything from health-care access, portability, and renewal, to preventing health-care fraud, to effects on research and clinical care. A key component of HIPAA is to encourage electronic transmission of medical information and heightened safeguards to protect the security and confidentiality of medical information.

The provisions of HIPAA apply to health-care providers and plans, public health agencies, self-insured employers, colleges and universities involved in medical studies, life insurance companies, vendors, and others. There are both civil and criminal penalties for noncompliance including fines and imprisonment. The most severe penalties involve up to 10 years in prison and a $250,000 fine for offenses related to the criminal sale, transfer, or use of personally identifiable health information.

HIPAA called on the Department of Health and Human Services (HHS) to ensure that providers secure electronic files in the same way they secure physical paper records to improve overall informational security. The stated goal is to assure individuals that their health information is properly protected while at the same time allowing important uses of the information to protect the health and well-being of individuals and the public. The act covers both health plans and health-care providers who transmit health information in electronic form, according to HHS's "Summary of the HIPAA Privacy Rule" at www.hhs.gov.

The HHS federal privacy standards generally went into effect beginning April 14, 2003, with an extension to 2004 for small health plans to comply. The privacy rules enacted to carry out HIPAA's requirements protect consumers from having their personal health information exploited, disclosed, or otherwise misused, whether by insurance companies, employers, or anyone else. In many cases, consent from the patient must be obtained before information can be disclosed, and when it's disclosed, it often must be the minimum amount of protected health information needed, according to the HHS.

Health-care providers and plans must provide notice to their patients of how their medical information will be used. These notices are generally signed and dated by the patient and maintained in the medical file with a copy provided to the patient. A key component of the privacy regulations allows patients to access their medical records and make corrections to any identified errors or mistakes. This is especially important if a person is victimized by medical identity theft and the fraudster's medical information is incorporated into the victim's medical records. For more information on federal privacy standards to protect patients' medical records, visit the HHS Protecting the Privacy of Patient's Health Information site.

HEALTH-CARE RECORDS ON THE WEB 

There are many benefits to moving health-care records online. In theory, patients will be able to access and better manage their records. They can keep detailed and current records on family medical history, immunizations, prescriptions, allergies, lab results, and doctor visits. In an emergency, either the patient or someone with authorization can quickly access an online health record and provide it to the treating health practitioner at any medical facility. Online tools might dramatically decrease the spiraling cost of health care.

Former President George W. Bush lobbied for electronic medical records in an attempt to reduce health-care costs and prevent medical errors. President Barack Obama has proposed similar measures.

Several hundred vendors, including insurance, technology, and Internet companies, are competing to provide digital medical records as nationwide providers. Everyone from Aetna and United Healthcare to Microsoft and Google are getting involved in the business. Microsoft's personal health record tool is called HealthVault. It's a "search engine-supported service to help patients coordinate disparate pieces of health-care information, from lab results to X-rays and daily blood pressure and allergy readings," according to the article, "Microsoft Wants Your Health Records," by Jay Greene in the Oct. 15, 2007, issue of BusinessWeek. Only patients will be allowed access to their medical information, and Microsoft promises safety and security for these highly sensitive digital records.

HIPAA requires minimum privacy and security standards for access, disclosure, and other purposes. As a general rule, HIPAA prevents the disclosure of medical information for marketing purposes. HIPAA's strong rules apply only to "covered entities," which are defined as health-care providers, health insurers, health plan administrators, and billing services. The rules apply to the covered entities and not to the actual medical record. Companies vying for the online medical record business, such as technology and Internet companies, aren't considered covered entities under HIPAA, and they might or might not follow its privacy and security standards.

According to HHS, only 14 percent of medical practices in the United States maintain electronic medical records. HHS would like to see that number rise to 50 percent by 2014. However, a Forrester research study found that only 20 percent of consumers want to access their medical information online. There might be some good news on the horizon for those interested in using online medical records. In a 2007 Harris Interactive poll, 76 percent of adults over 55 regularly use the Web to research their medical conditions. People may very well embrace online medical records in the not-too-distant future.

PREVENTION AND SECURITY 

1. Guard your medical insurance card. In many ways it's just as valuable as your credit card. "An insurance card is like a Visa card with a $1 million spending limit," warns Byron Hollis, Esq., CFE, AHFI, managing director of the Blue Cross and Blue Shield Association's National Anti-Fraud Department, in the article, "Your Medical Records Stolen! How to Protect Yourself," by Max Alexander in the November 2006 issue of Reader's Digest. If it's lost, he suggests you take the same steps you would if you lost your credit card.

2. If it sounds too good to be true, it usually is. Be skeptical when you receive calls from telemarketers offering "free" medical care, health screenings, or discounted medical plans. Con artists often use ruses to get unsuspecting victims to provide information. The data could be used to submit phony medical claims and to steal your identity. Never give your medical insurance number or any other personal information to anyone who calls.

3. Be Web savvy. There are innumerable collection points for your personal information. Many are found on the Web. While Web sites might simply be collecting marketing information, think about whether you want to provide information on yourself including illnesses and medical conditions. Be especially careful when registering on health sites or dialing toll-free numbers to ask about new drugs, treatments, or illnesses.

4. Opt out. Don't be your own worst enemy and disclose confidential information on product registration and warranty cards or marketing surveys. Send in opt-out forms to stop information from being shared with third parties.

5. Talk to your doctor and pharmacist about patient privacy. Ask them about their privacy and security procedures.

6. Read your Explanation of Benefits, then read it again. "Our No. 1 defense is the consumer himself," says Hollis in the Reader's Digest article. "We send our explanation-of-benefits [EOB] notices, and people round-file those right off the bat. If people would look at those, a lot of theft would get caught." Look for signs of unauthorized treatments performed under your name and insurance coverage. This might simply be a mistake, or it might be evidence of fraud that you'll need to address immediately. Report any discrepancies to your insurance provider.

7. Get your medical records. Consider requesting a copy of your medical records from your doctor or hospital. You shouldn't have a problem getting them. But if you do, file a complaint with the HHS Office of Civil Rights at 800-368-1019 or https://www.hhs.gov/civil-rights/filing-a-complaint/index.html.

8. Correct your medical records. Review your medical information just as you do your credit report. Ask your medical insurer to provide disclosure histories from doctors and insurers that will show disclosed information. Look for unfamiliar disclosures or ones you didn't receive, and unfamiliar addresses, then promptly follow up.

9. Require photo ID for medical treatment. More hospitals are requiring photo identification to be presented at time of admission and/or treatment in addition to insurance cards. (Obviously, this might not be possible in all cases, especially emergency conditions.)

10. Shred, shred, shred. Shred those EOBs and any other unneeded medical data. Don't toss those empty prescription bottles into the trash or recycling bin without first removing the label containing the patient's name, doctor, medication, and other information.

11. Do not use your SSN. Although your SSN has been a common identifier for medical treatment, it's generally being replaced with a specific medical identification number.

12. Leave your valuables at home. When admitted for a hospital stay or even for outpatient treatment, leave your credit cards and other important documents at home. Ask if the facility has a locked cabinet where you can secure your valuables, such as your wallet or purse, while being treated and ensure that you hold the key.

13. Speak up. Don't be afraid to ask questions and voice your concerns. Inquire about who will have access to your patient files, overall security, and other related issues. Don't settle if your concerns aren't answered. Ask to speak to higher-ups. Consider appointing a family member to negotiate to insulate the patient from confrontations.

Regent Emeritus Martin T. Biegelman, CFE, CCEP, ACFE Fellow, is director of financial integrity for Microsoft Corporation. He is a member of the ACFE Foundation Board. 

Hilda Schrader Whitcher was First Identity Theft Victim  

When President Franklin D. Roosevelt signed the Social Security Act into law in 1935, he had no way of knowing what the future would hold for that seemingly innocent number and its eventual connection to fraud. Within a year, the first Social Security cards were sent to working Americans. Not long after, the misuse of SSNs began. Hilda Schrader Whitcher might have been the first identity theft victim, long before credit and credit cards were the norm. If nothing else, her SSN was the most used and abused number ever issued.

In 1938, wallet manufacturer E.H. Ferree Company of Lockport, N.Y., came up with a novel approach to market its products. As a marketing ploy, the company decided to include a sample Social Security card in each wallet to show that the cards could easily fit inside. The cards were new to Americans, and by the end of 1937, more than 37 million had been distributed. A company executive decided to use a copy of the actual card of his secretary, Hilda Schrader Whitcher, for the insert. The sample card was about half the size of the actual one, printed all in red, with the word "specimen" written diagonally across the face. Thousands of these wallets were eventually sold at Woolworth's stores and other department stores throughout the country. Each contained Whitcher's facsimile Social Security card.

By 1943, more than 5,700 people were known to be using Whitcher's number as their own. The SSA eventually voided the number and gave Whitcher a new one. The SSA determined that more than 40,000 people have used Whitcher's SSN.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.