Changes to medical records that reflect treatments for cancer, HIV and diabetes are the most common as those diseases require the most expensive treatment and are most profitable for medical ID thieves.

"You can imagine all three of those diseases have issues in terms of insurability, employability, and it's very hard for people once they get this on their records," Dixon said. "There's got to be a mechanism to get it purged."

Physicians are reluctant to have any treatment information deleted from records because of malpractice issues, Dixon said. And HIPAA can actually exacerbate the problem when there's confusion about which medical record belongs to whom.

The federal health privacy rule was enacted under HIPAA to protect patient privacy and security. But confidential medical information - patient records, documents on insurance benefits, and passwords to medical servers - is stolen from victims who share music and videos on peer-to-peer networks and unwittingly provide access to their hard drives.

Medical care facilities have also been negligent with critical patient data, exposing patients to medical identity theft. In a 2006 Oregon case, a computer bag holding 10 computer disks containing medical data for 365,000 patients from Providence Portland Medical Center was stolen from an employee's car. So far, there have been three cases of possible identity theft associated with the breach, and Providence has spent $7 million responding to the mistake.

Victims of medical identity theft sometimes find that HIPAA blocks their attempts to correct their medical records. HIPAA requires health-care providers and insurers to provide patients access to their medical records but doesn't require medical providers and insurers to remove incorrect records. HIPAA even says that if incorrect information leads to inappropriate treatment, the incorrect information must remain to preserve a paper trail.

In a 2004 case, a Coloradan named Joe Ryan received a bill for surgery from a hospital that he never visited. Two years later, Ryan was still trying to correct his records. HIPAA, which was supposed to protect him, was actually preventing him from even viewing his own records. Since his signature didn't match the signature of the crook who had stolen and used his medical identity, the hospital wouldn't let him see the records.

"HIPAA can be interpreted in such a way that gets in the way of this, but it can also be interpreted the other way," Dixon said. "It's in a gray area, and if you have a very conservative legal team that's never heard of medical identity theft, they may go the wrong direction. We're working hard to get that eradicated."

The FTC has studied regular ID theft but is not responsible for addressing medical issues, according to the WPF. That responsibility falls to the U.S. Department of Health and Human Services (HHS), which has been slow to respond, according to Dixon. "I have to tell you, HHS has not been good to this point. They've not been looking at it. They've not been talking about it, and they need to."

Ryan went to local law enforcement, but like most local agencies, they weren't familiar with medical identity theft. That fact, and the nature of the crime, makes it difficult to police.

"Sometimes you can identify somebody who had access to the medical data, then trace that medical data in terms of how it was falsely billed, and that will lead you to the subject," Ormsby said. "In other cases, such as hacking cases, those are more difficult because it's more of a cyber-crime." She said many of the cases are complex and require the expertise of a variety of agencies to solve.

 
Fighting Back
The best way to police medical identity theft is to prevent it, Ormsby said. Local law enforcement can begin by performing community outreach programs that educate their municipalities.

Jim McKay, Justice and Public Safety Editor  |  Justice and Public Safety Editor