DPI16_Banner_300x250 WITH COPY

Kurt Long

By examining two well-documented instances of medical identity theft, we can begin to understand this type of identity theft's impact on its patient victims, the financial consequences, its methods of operation, healthcare's institutional vulnerabilities and how the healthcare industry can avert truly disastrous consequences.

Medical ID Theft, the U.S. Department of Justice and Organized Crime
On Jan. 24, 2007, the U. S. Department of Justice announced the prosecution of a medical identity theft crime involving 1,130 electronically comprised patient records from the Cleveland Clinic. A Cleveland Clinic employee, Isis Machado, allegedly used authorized computer systems to collect patient information and subsequently sold those records to another defendant who was part of an organized crime ring, according to the Justice Department. The patient records allegedly were used to fraudulently bill Medicare $7 million of which $2.5 million were paid. According to the Justice Department, this is the first case brought under the Health Insurance Portability and Accountability Act (HIPAA) that has gone to trial.

The shockwaves of this incident are far-reaching. As a result of this scheme, healthcare organizations now recognize they are a target of identity theft. After years of watching the financial services industry convulse through damaging, public embarrassments of some of its most reputable organizations, enlightened healthcare organizations are taking action to defend their patients and institutions against medical identity theft.

Despite the impact of this case, signs of trouble had been brewing for months. In May 2006, the World Privacy Forum (WPF) issued its ground-breaking report, Medical Identity Theft: The Information Crime that Can Kill You." The report indicated that "organized crime rings are heavily involved often in collusion with healthcare employees such as office and medical records personnel and insurance claims clerks." The report added that the rings are "very organized and highly sophisticated and rely on insiders."

The Cleveland Clinic case demonstrated the link between organized crime and medical ID theft. In fact, there is a growing body of evidence that medical identity theft is the most underreported and poorly documented of all identity crimes.

BusinessWeek - The Case of Lind Weaver
On Jan. 8, 2007 BusinessWeek published a story titled, "Diagnosis: Identity Theft." To healthcare privacy insiders, the article was a collection of anecdotes that unfolded over several months, but for most of BusinessWeek's readers, it revealed the devastating personal consequences of medical identity theft.

The article explored the case of Lind Weaver who, in 2004, received a bill from a local hospital for the amputation of her right foot. This bill was a shock to Weaver, who had not undergone the procedure. The BusinessWeek story revealed the powerlessness of medical ID theft's victims to take recourse in "cleaning up" their medical records. The story detailed Weaver's futile attempts to settle her bill or clear her records. Eventually, she walked into the hospital in frustrationand proclaimed, "Obviously, I have both of my feet."

Weaver's ordeal continued one year later, when she was hospitalized for an operation and realized her medical records were now contaminated with incorrect information as a result of the medical ID theft. For example, she was told her records showed a history of diabetes, which she did not have. Weaver eventually learned that her identity had been stolen by a thief to have the expensive amputation surgery performed. By the time the BusinessWeek article was published, the hospital had begun to cooperate.

Mounting Evidence of a Growing Trend
Weaver is not alone. The WPF estimates there have been 250,000 victims of medical ID theft to date, but cautioned that this number was a best guess because the crime is underreported. In the WPF's report, details of victims' emotional devastation, frustration in achieving corrections to their medical records, years of financial consequences, termination of insurance benefits and physical risk are well-

The healthcare industry, watchdog groups and the U.S. government have had enormous difficulty pinpointing the scale of the problem. One major reason for the difficulty in nailing down the prevalence of medical ID theft is the lack of resources to investigate the incidents. In December 2006, even greater evidence came to light that healthcare information crimes were underreported and underresearched. In December 2006, the Gartner Group estimated that there were 500,000 medical ID theft victims to date. Gartner warned that there will be 1 million ID theft victims within two years.

No One is Safe - Not Even Children
Anecdotes and research have revealed that patients needing the most treatment are the most vulnerable to medical ID theft. In January 2007, the Oncology Times ran an article titled, "Medical Identity Theft: Under-reported, Under-researched & More Common than Generally Known." In the article, readers learned that the identity of cancer patients is considered gold by criminals and that patients with diabetes, AIDS, and those in drug treatment centers also are among the most vulnerable.

Finally, children have become targets of identity theft. As reported by ConsumerAffairs.com in October 2006, organized crime has recognized that the financial records of those under 18 are less scrutinized, making them an easier target for identity theft and ongoing financial gain. Children's hospitals must be particularly sensitive to this fact.

Enlightened Organizations Are Taking Action
According to the WPF, medical ID theft is difficult to uncover because "it is well hidden in large electronic payment systems and in widely dispersed databases and medical files. Medical identity theft thieves are usually professionals adept at making sure victims do not detect the crime - ever."

But leading organizations are taking their information security obligations seriously under HIPAA. This includes implementing some of the more difficult sections of HIPAA law, including:

  • Implementing hardware, software and/ or procedural mechanisms that record and examine activity in information
  • systems that contain or use electronic protected health information;
  • Identifying and responding to suspected or known security incidents;
  • Mitigating to the extent practicable, harmful effects of security incidents;
  • Protecting against any reasonably anticipated uses or disclosures of protected health information;
  • Implementing procedures to regularly review systems activity such as audit logs.

These HIPAA requirements were designed to specifically address the types of highly damaging incidents evident in instances of medical ID theft. These requirements can be difficult to implement, but solutions specifically designed for healthcare have emerged.

Healthcare Providers Are Taking on Medical ID Theft
Proactive healthcare organizations are implementing a multi-pronged approach in an effort to thwart medical ID theft within their facilities. They are implementing such practices as:

  • Creating a culture that supports security and compliance. The privacy officers, information security managers and executives of a healthcare provider must create a culture that holds patient information safety at the same level of importance as the physical care of the patient.
  • Leveraging best practices. Virtually all healthcare organizations are facing the same challenges. There are best practices established that every healthcare organization should know about and consider for implementation. There are vendors offering healthcare specialized information security and privacy auditing that leverage best practices accumulated from across the healthcare industry.
  • Strengthening and formalizing the admission processes. Require patients to present some form of picture identification before receiving treatment. This requirement can present challenges, but there are already examples of where this has helped reduce the incidences of the fraudulent use of insurance.
  • Implementing information security monitoring. Medical ID theft thrives on open access to patient information to which healthcare organizations are susceptible. There are solutions that automate compliance and information security responsibilities relating to reviewing audit logs, identifying common incidents, streamlining incident investigations and mitigating damages when there is an incident.
  • Physical security. Never underestimate the aspect of physical security. Organizations must consider changing procedures or even the physical layout of a facility to protect controlled access.

It's Never Too Early to Prepare For Trial
As part of best practices, healthcare organizations are preparing themselves to go to trial if necessary. There have been a sufficient number of damaging privacy incidents involving healthcare organizations and patients resulting in the development of full escalation plans developed by healthcare privacy officers, legal counsel, executives and information security specialists. These plans involve collecting evidence, and if necessary, presenting evidence in court.

Medical ID theft is only going to grow. By taking proactive precautions, healthcare organizations can avert disastrous consequences for their patients and their institutions.

Kurt Long is Founder and CEO of EpicTide, www.epictide.com, a St. Petersburg, Fla.-based compliance and information security company. He may be contacted at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


A survey conducted by EpicTide revealed some interesting findings about consumer awareness of medical identity theft and patient safety concerns.

The online survey consisted of 23 questions designed to elicit answers from consumers about their beliefs on topics ranging from the frequency of identity theft and its consequences to understanding of patient rights and the role of healthcare organizations in protecting patient records.

Key Survey Findings

  • Nearly half of respondents had never heard of medical identity theft.
  • Consumers' top three fears relative to medical identity theft are: risk to life and health, loss of privacy and confidentiality, and changes in their medical records, respectively.
  • 98.5 percent of survey respondents believe that medical organizations have a responsibility for protecting patient medical records and private information; however, less than 40 percent of respondents feel confident that their healthcare providers are able to secure their medical records and personal information.
  • Only 52.3 percent of respondents agree that patient privacy is a key concern among healthcare providers.
  • Survey respondents almost unanimously believe that medical organizations have a legal responsibility to alert patients if someone has accessed medical records without the patient's consent; however, 7 out of 10 respondents do not believe that healthcare providers are diligent about informing patients of suspected security breaches.

More information on accessing the survey is available at www.epictide.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»