wheelchairs, walkers and other equipment.

A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health-care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. Compare that to just $2,000 for the average payout for regular ID theft.

Growing Sophistication
Dixon said there have been cases involving Russian organized crime and identity theft rings that are buying health clinics and billing the government for services.

There was a recent case in Milpitas, Calif., where two Ukrainian brothers purchased a medical clinic, and staffed it with fake doctors while getting collusion from at least one real doctor who provided his Drug Enforcement Agency number and UPIN so the group could bill for services and drugs. The clinic advertised free checkups, free food and transportation to patients in a poverty-stricken neighborhood. When the patients arrived, their Medicaid or Medicare cards were photocopied and subsequently billed for more than a year. In total, the group used the stolen numbers to bill for more than $1 million in medical services.

"Those are the worst actors," Dixon said. "What is just so terrible is it preys on the elderly and the vulnerable, and the only way this was found out was somebody was paying very close attention to her bills and noticed strange billing for treatment she hadn't received. She raised a red flag and that's how the entire ring got busted."

A check of the victim's health insurance bill is usually the first sign that there is a problem, and most people don't look closely enough at their paperwork. That gives the perpetrators ample time to pull off a scam and move on before being noticed.

"Remember, claims to certain government programs are not going to go back to the doctor," Ogrosky said. "If you're billed for a million dollars of medical equipment but didn't bill the office for a visit to the doctor, the doctor's not going to be notified."

That allows crooks to use a UPIN to bill for services without the doctor knowing about it. 

In another recent Miami case, a medical equipment company had more than 500 claims in 45 days - from deceased people. "When you see that sort of thing, it's an immediate red flag that the data has been stolen," Ogrosky said.

Most of the cases originate from an insider with access to medical data, but there is also "one-time or limited misuse," according to Calvin Sneed, senior antifraud consultant with the Blue Shield and Blue Cross Association. "If you looked at the smaller schemes, what you see is the 'lending' and 'borrowing' of ID by someone who can't afford health care, and they do this to get services they desperately need."

"We know health-care costs have risen considerably on an annual basis relative to inflation and probably higher than inflation, and we believe that 45 million to 50 million Americans are uninsured," Sneed continued. "We know prescription drug addiction continues to be a huge problem for some sectors of the population. Those are all contributing factors."

Broken Records
Besides raising the cost of health care for all, medical identity theft can leave a victim's medical records in shambles, and it's not easy to fix. Victims find their medical history changed to reflect the services billed by the identity thief; medications, allergies and surgeries fraudulently billed in the name of the victim become permanent records that are hard to expunge.

Victims of regular identity theft have more recourse under the Fair Credit Reporting Act than medical identity theft victims have under HIPAA.

Jim McKay, Justice and Public Safety Editor  |  Justice and Public Safety Editor