Document Service Company provides document management services

Home Page

Document Storage

Vaulting Services

Document Destruction

Reference Library

Contact us

February 11, 2007

Medical Identify Theft Can Kill You

Seven Steps You Can Take to Protect Yourself

By Amy Buttell Crane, Bankrate.com

Financial identity theft might wound your wallet, but medical identity theft can kill you.

Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims.  That means your medical history and health care records can include someone else’s information.  This can be life threatening: for example, causing a transfusion of the wrong blood type.

“People can die from this crime,” says Pam Dixon, executive director of the World Privacy Forum, a privacy rights group.  “It is a potentially huge issue.  It’s an incredibly intransigent problem and victims are finding that they have to sue health care providers to have their records corrected.”

As paper-based, medical-record-keeping systems evolve toward electronically based interconnected systems, the potential for catastrophic errors is on the rise.

Hospitals and insurance companies face enormous expenses when it comes to medical identity theft, as they are forced to write-off charges incurred by the thieves.  But its victims find that the financial aspects of this type of identity theft are the easiest to deal with - - it’s the potential medical consequences that are much tougher to correct.

Because health privacy and access laws lag behind credit access and reporting laws, victims frequently have little recourse to correct errors in their reports, and even when corrected , errors are apt to pop up again years later.  Often victims are unaware for years that their medical identities have been stolen, according to the World Privacy Forum.

Health care providers, concerned about possible liabilities, are reluctant to correct errors in medical records and in some cases inform victims that the identity of the thief is protected under federal privacy laws so the victim can’t even view the part of their records that is wrong.

What it is

There are two aspects to medical identity theft: medical and financial.  The medical consequences involve the medical information and records of the thief becoming intermingled with your own records.  So, your medical record could reflect a major surgery that you never had, and these records would include details relating to the health history of the thief rather than your own.  Relying on those false records, future health care providers might easily make inaccurate diagnoses, resulting in medical errors or delaying proper treatment.

The financial aspects are the same that any consumers victimized by identity theft face: unpaid bills, serious blemishes on credit reports and harassing phone calls from collections agencies.

The health care system is much more able to deal with the financial aspects than it is with the medical consequences for patients.

Dealing with the medical consequences is much more difficult, not only because of the loopholes in federal medical privacy laws - - the chief one being the Health Insurance Portability and Accountability Act, or HIPAA, of 1996 - - but also because the federal government isn’t enforcing HIPAA, including those provisions that might help the victims of medical identity theft.

Victims find it difficult not only to uncover the fraud, but also to get their health care and insurance records corrected.  As a result, victims with inaccurate claims on their insurance may bump up against lifetime care insurance caps and find it more difficult or impossible to get future medical, life, long-term care and supplemental insurance.

How it happens

A 2006 report published by the World Privacy Forum found that most medical identity theft begins at health care providers’ offices, where insiders - - usually employees - - are paid by criminals or criminal organizations to obtain medical identification information in bulk.

“Our research found that there is a huge black market for medical records.  Police tell us such records go for $50 each on the street, compared to Social Security numbers that go for a dollar or two,” Dixon says.

The stolen records are sold to individuals without insurance who are in need of elective surgeries or other expensive treatments.  “As more people are not getting the health care they need, we’re seeing an increasing incidence of medical identity fraud,” says Norbert Kugele, an attorney specializing in health privacy laws with Warner, Norcross and Judd in Grand Rapids, Mich.  “Someone will show up at a hospital with someone else’s insurance information and will seek treatment under their name.”

In many cases, the thief will take steps to prevent detection, including changing the address where insurance and hospital information is sent.  This is one reason why it takes victims so long to discover the fraud.  If they aren’t getting their insurance statements or seeking medical treatment, they are usually in the dark.

A growing threat

While most consumers are familiar with financial identity theft, not as many are aware of medical identity theft, according to a survey published in December by EpicTide, a provider of security systems for the health care industry.  The survey also revealed that consumers are unfamiliar with the potential consequences of medical identity theft and have a limited understanding of health privacy laws.

Hospitals, insurance companies and even the federal government are pushing for wide adoption of electronic health care records that would be available to health care providers across the country.

However, a 2006 PriceWaterhouseCoopers study, “The Global State of Security,” reveals that data security isn’t a high priority at health care facilities in the United States and around the world.  Only 48 percent of the nearly 8,000 health care executives surveyed reported that their facility encrypted data before transmission and only 37 percent have an information security strategy.

This lack of data security is potentially disastrous if a national electronic medical database is created, says Dixon.  If hospitals and doctors all over the country are interconnected, the potential for medical errors and even deaths resulting from medical identity theft rises exponentially, she adds.  Such a database may actually result in an increase in medical identity theft as criminals who already know how to access various systems gain access to data on a national scale.  The World Privacy Forum estimates that as many as 250,000 to 500,000 consumers have been victims of medical identity theft as of mid-2006.  But some doubt that medical identity theft is that widespread.

Jim Harper, author of “Identity Crisis: How Identification is Overused and Misunderstood,” labels medical identity theft as a “marginal risk” along with others such as being hit by lightening or becoming the victim of a terrorist attack.

“The definitions that are being used to compile these statistics are overbroad,” he says.  “I’m not saying it isn’t a problem – it just is a problem that the average person isn’t likely to encounter.  HIPAA has actually made dealing with such problems worse because people can’t get their medical files corrected, which is just ridiculous.”

In Dixon’s opinion, “one person being victimized by medical identity theft is a problem and something we need to be concerned about.”

Protecting yourself

Because HIPAA protections are riddled with loopholes, there is only so much you can do to protect yourself.

  1. View your medical records.  Request a copy of your medical records or go to your health providers and ask to see them, says Cindy Smith, a managing director at PriceWaterhouseCoopers.  HIPAA requires health care providers to either supply you with the requested records within 30 days or ask for more time.  If they deny your request, they must state the reason in writing.
  2. Shred documents.  These days, shredding junk mail is merely common sense.  If you’re concerned about medical identity theft, shred any health care and/or insurance documentation that you aren’t retaining.
  3. Protect your mail.  Putting your mail out for the neighborhood letter carrier to pick up is “an invitation to identity thieves,” says Steve Weisman, author of “50 Ways to Protect Your Identity and Your Credit:  Everything You Need to Know About ID Theft, Credit Cards, Credit Repair and Credit Reports.”  At the very least, deposit your outgoing mail directly in mailboxes.  Better yet, get a post office box and pick up all your mail there.  “It isn’t completely secure – postal employees have been involved in identity theft – but it’s more secure than getting your mail at home,” he says.
  4. Restrict access to your ID.  Consumers accede to requests to view their driver license or other IDs far too readily, says Judd Rousseau, chief operating officer of Identity Theft 911, a company that offers identity theft resources for consumers and businesses.  “If someone wants to see your driver’s license or needs your Social Security number, question them,” he says.  “Don’t give potential thieves access to your identity.”
  5. Confidential communications.  Health privacy laws allow consumers to request that their providers limit communications about their health care and health care records to third parties.  Unfortunately, HIPAA doesn’t require health care providers to comply with such a request, but “It’s worth a try,” Kugele says.
  6. Access records online.  If your insurance allows it, opt to get insurance billing statements and other notifications online and discontinue paper mailings, says Eduard Goodman, chief privacy officer of Identity Theft 911.  “Many people think that doing things online is riskier than the mail or whatever, but it’s not,” he says.  “Encryption and security protocols make it much safer to do business online.”  If you can’t eliminate paper statements, periodically check online to see what’s been going on with your account.
  7. Disclosure limitations.  One possible way around HIPAA loopholes is requesting confidential communications by alternative means, Kugele says.  “This is primarily designed to protect battered spouses and other victims of abuse, but perhaps it could be used to limit someone’s ability to change your mailing address.”

Your recourse

The World Privacy Forum has an FAQ section for victims of medical identity theft at www.worldprivacyforum.org.  Experts recommend that you get copies of medical, pharmaceutical, dental and other health insurance records so that you can reconstruct the steps the medical identity thief took while using your benefits.  Once you’re aware of where the thief received health care in your name, you can request copies of medical records and get them corrected.

The World Privacy Forum’s FAQ contains several sample letters you can use to request copies of your medical records and the steps you can take to try to get your records corrected and amended.

In terms of the financial consequences, fact sheets at the Privacy Rights Clearinghouse provide tips on getting your credit report corrected and following up with bill collectors and other creditors: Identity Theft: A Guide for Victims and Criminal Identity Theft: What to Do If It Happens to You.