Nobody Is Immune to Medical Identity Theft
Take steps to protect your practice and its patients from being victimized.
Many forms of identity theft may stem from a medical record breach. Thieves may use someone else’s identity to seek medical care, open new utility accounts, receive credit cards, conduct online transactions, apply for home loans, buy cars, get a job, commit crimes, or file for fraudulent government benefits.
Medical records contain a plethora of information all in one place. This is a jackpot for thieves. Medical identity theft poses a risk even greater than financial breaches. Consider someone claiming to be you and seeking medical care. Perhaps he or she has a serious medical condition that you do not have. Now this condition is on your permanent record. What if the thief is a drug addict, has a terminal illness, or a different blood type? Now, the thief’s medical profile is part of yours. Often, thieves will visit emergency rooms and leave the balance of the medical bill to the “real” person to pay. Unpaid bills go to collection agencies and affect credit ratings. The provider, also a victim, is left with unpaid services.
The Devastation of Medical Identity Theft
Consider the true case of the drug-addicted, pregnant woman who delivered a baby using a stolen health insurance card. The baby was born addicted to drugs and with other serious health concerns. The mother abandoned the baby the next day. The real insurance cardholder was visited by authorities and had her children taken into protective custody. She was a suburban housewife with no history of drug use. Fortunately, she was able to get her kids back later the same day, but she had to prove she had not delivered a drug-addicted baby the day before.
In another case, a college student signed up to donate blood, but was told she could not donate because she was HIV positive. It was many years and thousands of dollars later before she was able to correct her medical record and reclaim her identity.
The ramifications of a medical identity theft don’t end there. A false medical profile can be devastating emotionally and financially: Victims may be denied life insurance, fired from their job, or even receive death threats.
Other medical identity theft risks include medical alert devices, implanted defibrillators, continuous positive airway pressure machines, and insulin pumps. These devices connect to networks. Sophisticated hackers can intercept the data and access these devices and the personal information associated with them. If a device has a signal that can be hacked, the user is at risk. Consumers can contact the device manufacturer to determine how the data is protected and how the company responds to data breaches.
Consumers expect healthcare providers to be proactive in preventing and detecting medical identity theft. According to a recent Poneman study, 48 percent of respondents surveyed said they would consider changing healthcare providers if their medical records were lost or stolen. If a breach occurs, 40 percent expect prompt notification to come from the responsible organization.
Everyone who touches a medical record must be hyper vigilant. The U.S. Federal Trade Commission’s Red Flags Rule requires businesses and organizations to develop and implement procedures to detect suspicious activities or patterns of behavior that suggest identity theft. Some of the measures are as simple as asking for photo identification. Providers should ask for photo ID (government issued is preferred) and maintain a photo in the chart. Patients should protect their information, including their health insurance ID card.
Tips and Resources
Victims can take advantage of their rights under the HIPAA Privacy Rule. To learn more about medical identity theft and how to protect yourself, check out these tips and resources:
- File a complaint with the FTC at www.ftccomplaintassistant.gov or by phone at 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261; and see info at www.ftc.gov/idtheft.
- File a report with local police, and send copies of the report to their health plan’s investigations or privacy department, their healthcare provider(s), and the three nationwide credit reporting companies: Equifax, Experian, and TransUnion. Information on how to file a police report and reach the credit reporting companies is at www.ftc.gov/idtheft/consumers/defend.html.
- Look for signs of other misuses of personal information by reviewing credit reports. The law requires each of three major nationwide credit-reporting companies to give people a free copy of their credit report each year if they ask for it, at www.AnnualCreditReport.com or 1-877-322-8228.
- Inaccurate or fraudulent information can be reported at www.ftc.gov/idtheft. You can also learn how to get inaccurate information corrected or removed.
Medical identity theft is serious business, and should be acted on immediately to help mitigate risk. Many employers and insurance companies offer credit protection and monitoring services. Some companies also offer medical identity fraud alert systems. Everyone should look at options and take necessary precautions.
Identity Theft: A Serious Problem
According to the Ponemon Institute, 2.3 million Americans were victims of medical identity theft in 2014. Victims will tell you, medical identity theft is one of the most expensive and time-consuming types of identity theft to resolve. Protected health information (PHI) breaches affect not just patients, but also providers and health plans. In 2010, Ponemon Institute conducted a survey that concluded the average cost incurred to resolve a medical data breach is more than $20,000, or $211 per record.
More than 50 percent of victims are not aware their identity has been stolen for a year, or more. Victims may become aware of a breach when they are turned down for credit. Often, collection agency letters and phone calls are the first indication identity has been stolen or breached. Medical identity theft victims might also suffer embarrassment from disclosure of sensitive personal health conditions.
Ponemon Institute© Research Report, Fifth Annual Study on
Medical Identity Theft, February 2015:
Experian, “Combating the Rising Tide of Medical Identity Theft”:
Jonnie Massey, CPC, CPC-P, CPC-I, CPMA, AHFI, is director of the Blue Shield of California, Special Investigations Unit. Her specialties include healthcare fraud investigation, prevention, and resolution. Massey has extensive experience in health insurance plans and management and trains on healthcare fraud, coding, and ICD-10. She is on AAPC’s National Advisory Board, and also served from 2007-2009. Massey is a member of the Sacramento, Calif., local chapter.