Kurt Long

By examining two well-documented instances of medical identity theft, we can begin to understand this type of identity theft's impact on its patient victims, the financial consequences, its methods of operation, healthcare's institutional vulnerabilities and how the healthcare industry can avert truly disastrous consequences.

Medical ID Theft, the U.S. Department of Justice and Organized Crime
On Jan. 24, 2007, the U. S. Department of Justice announced the prosecution of a medical identity theft crime involving 1,130 electronically comprised patient records from the Cleveland Clinic. A Cleveland Clinic employee, Isis Machado, allegedly used authorized computer systems to collect patient information and subsequently sold those records to another defendant who was part of an organized crime ring, according to the Justice Department. The patient records allegedly were used to fraudulently bill Medicare $7 million of which $2.5 million were paid. According to the Justice Department, this is the first case brought under the Health Insurance Portability and Accountability Act (HIPAA) that has gone to trial.

The shockwaves of this incident are far-reaching. As a result of this scheme, healthcare organizations now recognize they are a target of identity theft. After years of watching the financial services industry convulse through damaging, public embarrassments of some of its most reputable organizations, enlightened healthcare organizations are taking action to defend their patients and institutions against medical identity theft.

Despite the impact of this case, signs of trouble had been brewing for months. In May 2006, the World Privacy Forum (WPF) issued its ground-breaking report, Medical Identity Theft: The Information Crime that Can Kill You." The report indicated that "organized crime rings are heavily involved often in collusion with healthcare employees such as office and medical records personnel and insurance claims clerks." The report added that the rings are "very organized and highly sophisticated and rely on insiders."

The Cleveland Clinic case demonstrated the link between organized crime and medical ID theft. In fact, there is a growing body of evidence that medical identity theft is the most underreported and poorly documented of all identity crimes.

BusinessWeek - The Case of Lind Weaver
On Jan. 8, 2007 BusinessWeek published a story titled, "Diagnosis: Identity Theft." To healthcare privacy insiders, the article was a collection of anecdotes that unfolded over several months, but for most of BusinessWeek's readers, it revealed the devastating personal consequences of medical identity theft.

The article explored the case of Lind Weaver who, in 2004, received a bill from a local hospital for the amputation of her right foot. This bill was a shock to Weaver, who had not undergone the procedure. The BusinessWeek story revealed the powerlessness of medical ID theft's victims to take recourse in "cleaning up" their medical records. The story detailed Weaver's futile attempts to settle her bill or clear her records. Eventually, she walked into the hospital in frustrationand proclaimed, "Obviously, I have both of my feet."

Weaver's ordeal continued one year later, when she was hospitalized for an operation and realized her medical records were now contaminated with incorrect information as a result of the medical ID theft. For example, she was told her records showed a history of diabetes, which she did not have. Weaver eventually learned that her identity had been stolen by a thief to have the expensive amputation surgery performed. By the time the BusinessWeek article was published, the hospital had begun to cooperate.

Mounting Evidence of a Growing Trend
Weaver is not alone. The WPF estimates there have been 250,000 victims of medical ID theft to date, but cautioned that this number was a best guess because the crime is underreported. In the WPF's report, details of victims' emotional devastation, frustration in achieving corrections to their medical records, years of financial consequences, termination of insurance benefits and physical risk are well-

The healthcare industry, watchdog groups and the U.S. government have had enormous difficulty pinpointing the scale of the problem. One major reason for the difficulty in nailing down the prevalence of medical ID theft is the lack of resources to investigate the incidents. In December 2006, even greater evidence came to light that healthcare information crimes were underreported and underresearched. In December 2006, the Gartner Group estimated that there were 500,000 medical ID theft victims to date. Gartner warned that there will be 1 million ID theft victims within two years.

No One is Safe - Not Even Children
Anecdotes and research have revealed that patients needing the most treatment are the most vulnerable to medical ID theft. In January 2007, the Oncology Times ran an article titled, "Medical Identity Theft: Under-reported, Under-researched & More Common than Generally Known." In the article, readers learned that the identity of cancer patients is considered gold by criminals and that patients with diabetes, AIDS, and those in drug treatment centers also are among the most vulnerable.

Finally, children have become targets of identity theft. As reported by ConsumerAffairs.com in October 2006, organized crime has recognized that the financial records of those under 18 are less scrutinized, making them an easier target for identity theft and ongoing financial gain. Children's hospitals must be particularly sensitive to this fact.

Enlightened Organizations Are Taking Action
According to the WPF, medical ID theft is difficult to uncover because "it is well hidden in large electronic payment systems and in widely dispersed databases and medical files. Medical identity theft thieves are usually professionals adept at making sure victims do not detect the crime - ever."

But leading organizations are taking their information security obligations seriously under HIPAA. This includes implementing some of the more difficult sections of HIPAA law, including:

  • Implementing hardware, software and/ or procedural mechanisms that record and examine activity in information
  • systems that contain or use electronic protected health information;
  • Identifying and responding to suspected or known security incidents;
  • Mitigating to the extent practicable, harmful effects of security incidents;
  • Protecting against any reasonably anticipated uses or disclosures of protected health information;
  • Implementing procedures to regularly review systems activity such as audit logs.

These HIPAA requirements were designed to specifically address the types of highly damaging incidents evident in instances of medical ID theft. These requirements can be difficult to implement, but solutions specifically designed for healthcare have emerged.

Healthcare Providers Are Taking on Medical ID Theft
Proactive healthcare organizations are implementing a multi-pronged approach in an effort to thwart medical ID theft within their facilities. They are implementing such practices as:

  • Creating a culture that supports security and compliance. The privacy officers, information security managers and executives of a healthcare provider must create a culture that holds patient information safety at the same level of importance as the physical care of the patient.
  • Leveraging best practices. Virtually all healthcare organizations are facing the same challenges. There are best practices established that every healthcare organization should know about and consider for implementation. There are vendors offering healthcare specialized information security and privacy auditing that leverage best practices accumulated from across the healthcare industry.
  • Strengthening and formalizing the admission processes. Require patients to present some form of picture identification before receiving treatment. This requirement can present challenges, but there are already examples of where this has helped reduce the incidences of the fraudulent use of insurance.
  • Implementing information security monitoring. Medical ID theft thrives on open access to patient information to which healthcare organizations are susceptible. There are solutions that automate compliance and information security responsibilities relating to reviewing audit logs, identifying common incidents, streamlining incident investigations and mitigating damages when there is an incident.
  • Physical security. Never underestimate the aspect of physical security. Organizations must consider changing procedures or even the physical layout of a facility to protect controlled access.

It's Never Too Early to Prepare For Trial
As part of best practices, healthcare organizations are preparing themselves to go to trial if necessary. There have been a sufficient number of damaging privacy incidents involving healthcare organizations and patients resulting in the development of full escalation plans developed by healthcare privacy officers, legal counsel, executives and information security specialists. These plans involve collecting evidence, and if necessary, presenting evidence in court.

Medical ID theft is only going to grow. By taking proactive precautions, healthcare organizations can avert disastrous consequences for their patients and their institutions.

Kurt Long is Founder and CEO of EpicTide, www.epictide.com, a St. Petersburg, Fla.-based compliance and information security company. He may be contacted at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


A survey conducted by EpicTide revealed some interesting findings about consumer awareness of medical identity theft and patient safety concerns.

The online survey consisted of 23 questions designed to elicit answers from consumers about their beliefs on topics ranging from the frequency of identity theft and its consequences to understanding of patient rights and the role of healthcare organizations in protecting patient records.

Key Survey Findings

  • Nearly half of respondents had never heard of medical identity theft.
  • Consumers' top three fears relative to medical identity theft are: risk to life and health, loss of privacy and confidentiality, and changes in their medical records, respectively.
  • 98.5 percent of survey respondents believe that medical organizations have a responsibility for protecting patient medical records and private information; however, less than 40 percent of respondents feel confident that their healthcare providers are able to secure their medical records and personal information.
  • Only 52.3 percent of respondents agree that patient privacy is a key concern among healthcare providers.
  • Survey respondents almost unanimously believe that medical organizations have a legal responsibility to alert patients if someone has accessed medical records without the patient's consent; however, 7 out of 10 respondents do not believe that healthcare providers are diligent about informing patients of suspected security breaches.

More information on accessing the survey is available at www.epictide.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»