By examining two well-documented instances of medical identity theft, we can begin to understand this type of identity theft's impact on its patient victims, the financial consequences, its methods of operation, healthcare's institutional vulnerabilities and how the healthcare industry can avert truly disastrous consequences.
Medical ID Theft, the U.S. Department of Justice and Organized Crime
On Jan. 24, 2007, the U. S. Department of Justice announced the prosecution of a medical identity theft crime involving 1,130 electronically comprised patient records from the Cleveland Clinic. A Cleveland Clinic employee, Isis Machado, allegedly used authorized computer systems to collect patient information and subsequently sold those records to another defendant who was part of an organized crime ring, according to the Justice Department. The patient records allegedly were used to fraudulently bill Medicare $7 million of which $2.5 million were paid. According to the Justice Department, this is the first case brought under the Health Insurance Portability and Accountability Act (HIPAA) that has gone to trial.
The shockwaves of this incident are far-reaching. As a result of this scheme, healthcare organizations now recognize they are a target of identity theft. After years of watching the financial services industry convulse through damaging, public embarrassments of some of its most reputable organizations, enlightened healthcare organizations are taking action to defend their patients and institutions against medical identity theft.
Despite the impact of this case, signs of trouble had been brewing for months. In May 2006, the World Privacy Forum (WPF) issued its ground-breaking report, Medical Identity Theft: The Information Crime that Can Kill You." The report indicated that "organized crime rings are heavily involved often in collusion with healthcare employees such as office and medical records personnel and insurance claims clerks." The report added that the rings are "very organized and highly sophisticated and rely on insiders."
The Cleveland Clinic case demonstrated the link between organized crime and medical ID theft. In fact, there is a growing body of evidence that medical identity theft is the most underreported and poorly documented of all identity crimes.
BusinessWeek - The Case of Lind Weaver
On Jan. 8, 2007 BusinessWeek published a story titled, "Diagnosis: Identity Theft." To healthcare privacy insiders, the article was a collection of anecdotes that unfolded over several months, but for most of BusinessWeek's readers, it revealed the devastating personal consequences of medical identity theft.
The article explored the case of Lind Weaver who, in 2004, received a bill from a local hospital for the amputation of her right foot. This bill was a shock to Weaver, who had not undergone the procedure. The BusinessWeek story revealed the powerlessness of medical ID theft's victims to take recourse in "cleaning up" their medical records. The story detailed Weaver's futile attempts to settle her bill or clear her records. Eventually, she walked into the hospital in frustrationand proclaimed, "Obviously, I have both of my feet."
Weaver's ordeal continued one year later, when she was hospitalized for an operation and realized her medical records were now contaminated with incorrect information as a result of the medical ID theft. For example, she was told her records showed a history of diabetes, which she did not have. Weaver eventually learned that her identity had been stolen by a thief to have the expensive amputation surgery performed. By the time the BusinessWeek article was published, the hospital had begun to cooperate.
Mounting Evidence of a Growing Trend
Weaver is not alone. The WPF estimates there have been 250,000 victims of medical ID theft to date, but cautioned that this number was a best guess because the crime is underreported. In the WPF's report, details of victims' emotional devastation, frustration in achieving corrections to their medical records, years of financial consequences, termination of insurance benefits and physical risk are well-
The healthcare industry, watchdog groups and the U.S. government have had enormous difficulty pinpointing the scale of the problem. One major reason for the difficulty in nailing down the prevalence of medical ID theft is the lack of resources to investigate the incidents. In December 2006, even greater evidence came to light that healthcare information crimes were underreported and underresearched. In December 2006, the Gartner Group estimated that there were 500,000 medical ID theft victims to date. Gartner warned that there will be 1 million ID theft victims within two years.
No One is Safe - Not Even Children
Anecdotes and research have revealed that patients needing the most treatment are the most vulnerable to medical ID theft. In January 2007, the Oncology Times ran an article titled, "Medical Identity Theft: Under-reported, Under-researched & More Common than Generally Known." In the article, readers learned that the identity of cancer patients is considered gold by criminals and that patients with diabetes, AIDS, and those in drug treatment centers also are among the most vulnerable.
Finally, children have become targets of identity theft. As reported by ConsumerAffairs.com in October 2006, organized crime has recognized that the financial records of those under 18 are less scrutinized, making them an easier target for identity theft and ongoing financial gain. Children's hospitals must be particularly sensitive to this fact.
Enlightened Organizations Are Taking Action
According to the WPF, medical ID theft is difficult to uncover because "it is well hidden in large electronic payment systems and in widely dispersed databases and medical files. Medical identity theft thieves are usually professionals adept at making sure victims do not detect the crime - ever."
But leading organizations are taking their information security obligations seriously under HIPAA. This includes implementing some of the more difficult sections of HIPAA law, including:
- Implementing hardware, software and/ or procedural mechanisms that record and examine activity in information
- systems that contain or use electronic protected health information;
- Identifying and responding to suspected or known security incidents;
- Mitigating to the extent practicable, harmful effects of security incidents;
- Protecting against any reasonably anticipated uses or disclosures of protected health information;
- Implementing procedures to regularly review systems activity such as audit logs.
These HIPAA requirements were designed to specifically address the types of highly damaging incidents evident in instances of medical ID theft. These requirements can be difficult to implement, but solutions specifically designed for healthcare have emerged.
Healthcare Providers Are Taking on Medical ID Theft
Proactive healthcare organizations are implementing a multi-pronged approach in an effort to thwart medical ID theft within their facilities. They are implementing such practices as:
- Creating a culture that supports security and compliance. The privacy officers, information security managers and executives of a healthcare provider must create a culture that holds patient information safety at the same level of importance as the physical care of the patient.
- Leveraging best practices. Virtually all healthcare organizations are facing the same challenges. There are best practices established that every healthcare organization should know about and consider for implementation. There are vendors offering healthcare specialized information security and privacy auditing that leverage best practices accumulated from across the healthcare industry.
- Strengthening and formalizing the admission processes. Require patients to present some form of picture identification before receiving treatment. This requirement can present challenges, but there are already examples of where this has helped reduce the incidences of the fraudulent use of insurance.
- Implementing information security monitoring. Medical ID theft thrives on open access to patient information to which healthcare organizations are susceptible. There are solutions that automate compliance and information security responsibilities relating to reviewing audit logs, identifying common incidents, streamlining incident investigations and mitigating damages when there is an incident.
- Physical security. Never underestimate the aspect of physical security. Organizations must consider changing procedures or even the physical layout of a facility to protect controlled access.
It's Never Too Early to Prepare For Trial
As part of best practices, healthcare organizations are preparing themselves to go to trial if necessary. There have been a sufficient number of damaging privacy incidents involving healthcare organizations and patients resulting in the development of full escalation plans developed by healthcare privacy officers, legal counsel, executives and information security specialists. These plans involve collecting evidence, and if necessary, presenting evidence in court.
Medical ID theft is only going to grow. By taking proactive precautions, healthcare organizations can avert disastrous consequences for their patients and their institutions.
Kurt Long is Founder and CEO of EpicTide, www.epictide.com, a St. Petersburg, Fla.-based compliance and information security company. He may be contacted at
CONSUMER AWARENESS OF MEDICAL ID THEFT
A survey conducted by EpicTide revealed some interesting findings about consumer awareness of medical identity theft and patient safety concerns.
The online survey consisted of 23 questions designed to elicit answers from consumers about their beliefs on topics ranging from the frequency of identity theft and its consequences to understanding of patient rights and the role of healthcare organizations in protecting patient records.
Key Survey Findings
- Nearly half of respondents had never heard of medical identity theft.
- Consumers' top three fears relative to medical identity theft are: risk to life and health, loss of privacy and confidentiality, and changes in their medical records, respectively.
- 98.5 percent of survey respondents believe that medical organizations have a responsibility for protecting patient medical records and private information; however, less than 40 percent of respondents feel confident that their healthcare providers are able to secure their medical records and personal information.
- Only 52.3 percent of respondents agree that patient privacy is a key concern among healthcare providers.
- Survey respondents almost unanimously believe that medical organizations have a legal responsibility to alert patients if someone has accessed medical records without the patient's consent; however, 7 out of 10 respondents do not believe that healthcare providers are diligent about informing patients of suspected security breaches.
More information on accessing the survey is available at www.epictide.com.