A trend embraced by white-collar criminals is driving up health-care costs and creating nightmares for its victims. Medical identity theft is health-care fraud and ID theft rolled into one, and it's a crime that's expected to continue growing because it's easy to carry out and difficult to detect.
The first study on the subject, done by the World Privacy Forum (WPF) in 2006, estimates that medical identity theft accounts for 2.7 percent to 3.2 percent of total ID theft, which is reported to be the fastest-growing crime over the last seven years.
In November 2007, the Federal Trade Commission estimated the number of cases of medical identity theft at 3 percent of all ID theft cases. That's at least 250,000 medical identity theft cases per year.
Medical identity theft takes two forms: physician identification numbers that are stolen and used to bill for services, and patient identification information stolen and used to obtain services or to bill for services. The latter scenario is especially damaging to the victims who inadvertently could be treated based on someone else's medical history and who might, as a result, have a difficult time rebuilding their medical files.
There are fewer resources for victims of medical identity theft than for regular ID theft, and victims get little help from laws such as the Health Insurance Portability and Accountability Act (HIPAA).
"First, we know the unique physician identification numbers (UPIN) that are used to bill both private insurance and Medicare/Medicaid are frequently compromised, and we see that in our enforcement efforts," said Kirk Ogrosky, deputy chief of the fraud section for the U.S. Department of Justice. "There's a second part of that, and that's compromised patient information, which would be the Medicare number. That Medicare number goes across different federal programs and private insurance. We see identity theft in both areas, and it's prevalent."
At least 3 percent of U.S. health-care costs (about $60 billion) can be attributed to fraud, according to the National Health Care Anti-Fraud Association. Of that, 1 percent is attributed to medical ID theft - an ominous figure when the numbers are triangulated, according to Sharon Ormsby, section chief for the financial crimes section of the FBI.
"If you figure by 2012, national health-care expenditure costs for the country will be approximately $3 trillion, you look at the fact that the National Health Care Anti-Fraud Association conservatively estimates health-care fraud to be 3 percent to 5 percent of that expenditure amount," she said. "That's a significant amount of fraud, so we do have a strong interest in it."
Ogrosky said he began to see a trend in medical fraud schemes in 2003. He said the schemes run for 90 to 120 days then vanish. That's because by the time victims notice irregularities in the explanation of benefits (EOBs) they receive from their health insurers, the thieves have moved on.
"These schemes really started to pop onto our radar around 2003 and 2004," Ogrosky said. "Since that time, they've grown, stealing from our federal programs to the tune of hundreds of millions of dollars, potentially billions of dollars. I've heard different estimates. There's no real way to quantify the amount of fraud that we don't yet know about."
Medical identity theft can be a profitable venture, and it's not that hard to pull off for someone who's in a position to download large amounts of digitized medical data. In September 2006, police arrested a clerk at a medical clinic in a Weston, Fla., hospital who stole the medical IDs of 1,100 patients and sold them. The numbers were subsequently used to bill Medicare for $2.8 million in false claims.
In another case, police arrested 38 people in Miami-Dade, Fla., in May 2007 and charged them with $142 million in Medicare fraud. The suspects had purchased or stolen medical ID numbers, and billed the government for
wheelchairs, walkers and other equipment.
A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health-care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. Compare that to just $2,000 for the average payout for regular ID theft.
Dixon said there have been cases involving Russian organized crime and identity theft rings that are buying health clinics and billing the government for services.
There was a recent case in Milpitas, Calif., where two Ukrainian brothers purchased a medical clinic, and staffed it with fake doctors while getting collusion from at least one real doctor who provided his Drug Enforcement Agency number and UPIN so the group could bill for services and drugs. The clinic advertised free checkups, free food and transportation to patients in a poverty-stricken neighborhood. When the patients arrived, their Medicaid or Medicare cards were photocopied and subsequently billed for more than a year. In total, the group used the stolen numbers to bill for more than $1 million in medical services.
"Those are the worst actors," Dixon said. "What is just so terrible is it preys on the elderly and the vulnerable, and the only way this was found out was somebody was paying very close attention to her bills and noticed strange billing for treatment she hadn't received. She raised a red flag and that's how the entire ring got busted."
A check of the victim's health insurance bill is usually the first sign that there is a problem, and most people don't look closely enough at their paperwork. That gives the perpetrators ample time to pull off a scam and move on before being noticed.
"Remember, claims to certain government programs are not going to go back to the doctor," Ogrosky said. "If you're billed for a million dollars of medical equipment but didn't bill the office for a visit to the doctor, the doctor's not going to be notified."
That allows crooks to use a UPIN to bill for services without the doctor knowing about it.
In another recent Miami case, a medical equipment company had more than 500 claims in 45 days - from deceased people. "When you see that sort of thing, it's an immediate red flag that the data has been stolen," Ogrosky said.
Most of the cases originate from an insider with access to medical data, but there is also "one-time or limited misuse," according to Calvin Sneed, senior antifraud consultant with the Blue Shield and Blue Cross Association. "If you looked at the smaller schemes, what you see is the 'lending' and 'borrowing' of ID by someone who can't afford health care, and they do this to get services they desperately need."
"We know health-care costs have risen considerably on an annual basis relative to inflation and probably higher than inflation, and we believe that 45 million to 50 million Americans are uninsured," Sneed continued. "We know prescription drug addiction continues to be a huge problem for some sectors of the population. Those are all contributing factors."
Besides raising the cost of health care for all, medical identity theft can leave a victim's medical records in shambles, and it's not easy to fix. Victims find their medical history changed to reflect the services billed by the identity thief; medications, allergies and surgeries fraudulently billed in the name of the victim become permanent records that are hard to expunge.
Victims of regular identity theft have more recourse under the Fair Credit Reporting Act than medical identity theft victims have under HIPAA.
Changes to medical records that reflect treatments for cancer, HIV and diabetes are the most common as those diseases require the most expensive treatment and are most profitable for medical ID thieves.
"You can imagine all three of those diseases have issues in terms of insurability, employability, and it's very hard for people once they get this on their records," Dixon said. "There's got to be a mechanism to get it purged."
Physicians are reluctant to have any treatment information deleted from records because of malpractice issues, Dixon said. And HIPAA can actually exacerbate the problem when there's confusion about which medical record belongs to whom.
The federal health privacy rule was enacted under HIPAA to protect patient privacy and security. But confidential medical information - patient records, documents on insurance benefits, and passwords to medical servers - is stolen from victims who share music and videos on peer-to-peer networks and unwittingly provide access to their hard drives.
Medical care facilities have also been negligent with critical patient data, exposing patients to medical identity theft. In a 2006 Oregon case, a computer bag holding 10 computer disks containing medical data for 365,000 patients from Providence Portland Medical Center was stolen from an employee's car. So far, there have been three cases of possible identity theft associated with the breach, and Providence has spent $7 million responding to the mistake.
Victims of medical identity theft sometimes find that HIPAA blocks their attempts to correct their medical records. HIPAA requires health-care providers and insurers to provide patients access to their medical records but doesn't require medical providers and insurers to remove incorrect records. HIPAA even says that if incorrect information leads to inappropriate treatment, the incorrect information must remain to preserve a paper trail.
In a 2004 case, a Coloradan named Joe Ryan received a bill for surgery from a hospital that he never visited. Two years later, Ryan was still trying to correct his records. HIPAA, which was supposed to protect him, was actually preventing him from even viewing his own records. Since his signature didn't match the signature of the crook who had stolen and used his medical identity, the hospital wouldn't let him see the records.
"HIPAA can be interpreted in such a way that gets in the way of this, but it can also be interpreted the other way," Dixon said. "It's in a gray area, and if you have a very conservative legal team that's never heard of medical identity theft, they may go the wrong direction. We're working hard to get that eradicated."
The FTC has studied regular ID theft but is not responsible for addressing medical issues, according to the WPF. That responsibility falls to the U.S. Department of Health and Human Services (HHS), which has been slow to respond, according to Dixon. "I have to tell you, HHS has not been good to this point. They've not been looking at it. They've not been talking about it, and they need to."
Ryan went to local law enforcement, but like most local agencies, they weren't familiar with medical identity theft. That fact, and the nature of the crime, makes it difficult to police.
"Sometimes you can identify somebody who had access to the medical data, then trace that medical data in terms of how it was falsely billed, and that will lead you to the subject," Ormsby said. "In other cases, such as hacking cases, those are more difficult because it's more of a cyber-crime." She said many of the cases are complex and require the expertise of a variety of agencies to solve.
The best way to police medical identity theft is to prevent it, Ormsby said. Local law enforcement can begin by performing community outreach programs that educate their municipalities.
Local police should also share identity theft information with state and federal authorities and make referrals to the appropriate state and federal agencies when they learn of a medical identity theft complaint. Lastly they can participate in federal and state working groups that deal with health-care fraud.
Individuals should peruse EOB statements from their health insurers to spot unusual charges.
"We've established some programs and initiatives where we're trying to get our licensees to entertain the idea of educating their subscribers on a quick and regular basis," Sneed said. "Explain to them that they are our first line of defense with respect to health-care fraud. That means looking at your explanation of benefits form when it comes in."
Another aspect of prevention is better security for electronic health records, which are beginning to really take hold, Sneed said. "Facilities, associations and insurers have to keep that as an aspect they have to be aware of as they create their electronic health records, practices and procedures, and account for the idea that this is going to open up databases of information that may be vulnerable. There has to be a risk assessment."
The WPF advocates a National Health Information Network that would be established using comprehensive risk assessments that prevent medical identity theft while protecting privacy, and more mechanisms for individuals to correct errors in their medical histories, as well as notification of medical data breaches to consumers.
The prospect for a continuing trend in medical identity theft is good as health-care record-keeping becomes increasingly automated and because it is so difficult to detect, according to Dixon. "It's going to get worse before it gets better because it's really tough to fix."