Medical identity theft growing exponentially

Medical identity theft is the fastest-growing form of identity fraud. Crooks use a myriad of ways to defraud federal governments and vulnerable patients. Here are the schemes and ways to avoid becoming a victim.

Babubhai Bhurabhai Rathod, of Okemos, Michigan, said he was addicted to drugs. But he was lying. He was really addicted to medical identity theft.

In 2013, Rathod was sentenced to four years in prison after a conviction of paying practitioners illegal kickbacks in exchange for patient referrals to his health care companies, according to the U.S. Department of Justice (DOJ). And he was further excluded from participating in Medicare and Medicaid.

Apparently, he had no desire to reform. While in prison, Rathod faked a drug and alcohol use disorder to qualify for admission into the Residential Drug Abuse Program (RDAP). Rathod completed the RDAP and was released early from custody. Within days of his release in 2016, he began violating his exclusion and supervised release conditions by operating four health care providers across the State of Michigan.

To conceal his ownership of these providers from Medicare and Medicaid, Rathod used a variety of aliases, straw owners and shell holding companies that were registered to other people. Rathod’s scheme netted nearly a million dollars in Medicare and Medicaid reimbursements to which his providers weren’t entitled.

As part of his scheme, Rathod used the name, address, date of birth, Social Security number (SSN) and driver’s license of a physician colleague to obtain working capital loans for one of Rathod’s businesses, Advanced Medical Services. Rathod also used the physician’s identity, without the physician’s knowledge, to personally guarantee those loans. When Advanced Medical Services defaulted on one of these loans, a state-court judgment was entered against the physician — without the physician’s knowledge — and the physician’s bank account was frozen.

Rathod was sentenced to 10 years in prison for health care fraud and an additional two years for aggravated identity theft. He pleaded guilty to both charges in August 2018. U.S. District Judge Janet T. Neff also ordered Rathod to pay $939,795.89 in restitution to Medicare and Medicaid.¹

Medical identity theft compounded by breaches

Medical identity theft is derivative of identity theft. The number of medical identity theft victims has increased from an estimated 1.42 million in 2010 to 1.85 million in 2012 to 2.32 million in 2014 with 500,000 more victims in 2014 alone.²

The estimated economic impact of medical identity theft has increased from $30.9 billion in 2011 to $41.3 billion in 2012, which makes medical identity theft the fastest-growing form of identity theft in the world.³

Compounding the threat of medical identity fraud are the increased numbers of data breaches of health care provider and insurance company medical records such as the Anthem Health Care data breach in 2015, which exposed 78 million member’s personally identifiable information (PII).⁴ In 2015, the U.S. Department of Health and Human Services reported 253 health care breaches which affected 500 individuals or more, with a combined loss of more than 112 million records in 2015. According to Bitglass, one in three Americans were affected by health care breaches in 2015.⁵

Fraudsters sell stolen health records on the underground black market, known as the dark web. In 2016, there were nine times more medical than financial records breached — 27 million, which represents nearly 10% of the U.S. population alone.⁶

Medical identity theft can have devastating effects for patients, providers, insurance companies and governmental programs. Medical identity theft generates losses to the health care industry of more than $30 billion each year, and patients on the average pay $13,500 to resolve issues. Providers also incur significant costs to clear their names, and if their data is stolen they have a high risk of a malpractice claims when erroneous information has been added to patient charts. The costs for patients aren’t just monetary but often result in delays of treatment, misdiagnosis and inappropriate care for patients.⁷

Let’s define it

Medical identity theft occurs when someone steals or uses a person’s name and sometimes other parts of their identity such as Social Security or Medicare or Medicaid numbers plus insurance information without the person’s knowledge or consent to obtain medical treatment, services and/or goods. It frequently results in erroneous entries into existing medical records and can involve the creation of false medical records in the victim’s name.⁸

Perpetrators also include hackers who use social engineering to obtain SSNs and health insurance information from unsuspecting medical providers and patients.⁹

Health care providers also lose private patient information from employee theft and loss of laptops, flash drives and other data sources.¹⁰

Warning signs

Medical identity victims:

• Receive paperwork about medical procedures or services they haven’t received.
• Find incorrect information in medical records.
• Discover their medical benefits on private insurance and/or government programs have been maxed out.
• Are contacted by debt collectors about bogus medical debt.
• See that their credit reports show collection notices and/or other debt activities.
• Are denied insurance coverage because of incorrect information in medical records.¹¹

How to protect yourself

• Review the Explanations of Benefits (EOB) statement or Medicare/Medicaid Summary Notice that your health plan sends after your treatment.
• Annually request a listing of benefits from your health insurers and review them for accuracy.
• Request and review copies of current medical files from all health care providers. Monitor your credit report for inaccuracies.¹²
• Check with your medical providers to ensure your records are accurate.
• Don’t share your medical and/or insurance information with others.
• Read the privacy policies on health care websites before providing personal health information or other PII.
• Don’t provide personal health information or other PII to those who might be posing as your health care provider. Contact your provider to verify.¹³
• Be cautious of free health services or products that require PII.
• Don’t provide personal health information or other PII to someone who contacts you about a “recent breach.”
• Don’t be afraid to ask questions of your health provider as to how they protect personal health information or other PII.
• Don’t post health personal health information or other PII on social networks.
• Treat and protect your health care identities as you would your financial information.¹⁴

How providers can prevent medical identity fraud

Health care providers can take proactive steps by integrating their  health care organizations’ broader information security and privacy programs and a comprehensive incident response plans for PII compromises.

Here are some important parts of a health care provider security program for medical identity information:

• Background checks, including criminal and credit histories on any provider employees with access to private health care information.
• Employee training on importance of security and protection of private health care PII.
• Latest encryption technology to secure all IT resources, including laptops and mobile devices. Where employees are allowed to bring their devices to work,  maintain remote data wiping capability.
• Policies and procedures for protection of personal healthcare PII that include access to information on a strict need-to-know basis, robust password management and guidance in the use of cloud technology.
• Formal protocol to manage all vendors with access to organizations network that include security reviews, U.S. Health Insurance Portability and Accountability Act/U.S. Health Information Technology for Economic and Clinical Health Act compliance requirements and contractual protections, including maintenance of cyber insurance.
• Incident response plan, including management responsibility for reported breaches and the identification of legal, forensic and other technical resources that are equipped to respond in a timely and professional manner.¹⁵

What to do if you’re a victim

• File a police report with your local law enforcement agency. You might need to provide a police report to collection agencies, health care providers, and government and private insurance providers.
• Correct erroneous and false information in medical payment files with health providers.
• Contact one of the three credit bureaus to place a fraud alert on your account: Experian, Equifax or Transunion.
• File a complaint with the Federal Trade Commission (FTC) about medical identity theft. FTC identity Theft Toll Free Hotline: 877-IDTHEFT (877-438-4338).
• If you’re a victim of Medicare fraud, call 800-MEDICARE (800-633-4227).
• If you’re a victim of Medicaid fraud, call 800-HHS-TIPS (800-447-8477).
• Report private insurance fraud to your company hotline.¹⁶

An ever-present and growing danger

Global medical identity theft is active and growing. Health care providers, private insurance companies, government health benefit beneficiary programs and individual consumers should be taking proactive steps to prevent fraud. If they’re victimized they should take corrective actions and report incidents to authorities.

David A. Picard, CFE, is investigations manager, NC Department of Health & Human Services, Division of Health Benefits, NC Medicaid. Contact him at David.Picard@dhhs.nc.gov.

1. “Excluded Felon Sentenced to Twelve Years For Health Care Fraud And Aggravated Identity Theft,” U.S. Attorney’s Office, Western District of Michigan, March 28, 2019
2. “A Call to Action,” Medical Identity Fraud Alliance
3. “The Real Threat of identity Theft Is in Your Medical Records, Not Credit Cards,” by Robert Lord, Dec. 15, 2017, Forbes
4. “Judge Approves Anthem’s $115M Data Breach Settlement,” by Julie Spitzer, Becker’s Hospital Review, Aug. 20, 2018
5. “Medical ID theft,” Fraud.Org, National Consumers League
6. Forbes et al., 2017
7. “Medical Identity Theft: Problems and Prevention,” Healthcare IT News, Feb. 20, 2017
8. “Medical Identity Theft,” U.S. Department of Health and Human Services Office of Inspector General
9. “6th Annual HIMSS Security Survey,” 2014, Healthcare Information and Management Systems Society
10. “6th Annual HIMSS Security Survey”
11. “Medical ID theft,” Fraud.Org National Consumers League
12. “Medical Identity Theft,” World Privacy Forum
13. “Medical identity theft,” Coalition Against Insurance Fraud
14. “The Rise of Medical Identity Theft,” by Michelle Andrews, Consumer Reports, Aug. 25, 2016
15. “Medical Identity Theft: Fighting and Epidemic,” by Brad Gow, Sompro International, 2018
16. “Recovering from Identity Theft,” Federal Trade Commission, September 2018