Crimes of the chart
By John Pulley
A Colorado man receives a $44,000 bill for colon surgery he did not have. Social workers in Utah accuse a woman of giving birth to a methamphetamine-addicted baby and threaten to take away her children. A mortgage lender rejects an application to refinance the home of a couple whose credit history is riddled with mysterious claims of unpaid medical bills.
All are victims of medical identity theft, a crime involving the use of stolen personal information to pose as someone else for the purpose of getting drugs, medical treatment or health care equipment. The crime has long existed in a somewhat benign and largely dormant form. Now, as the health care sector transitions to electronic formats, it is metastasizing.
"Medical identity theft is a new term for an old problem," said Barbara Cox, senior principal for the Information Management and Systems practice at Noblis, a not-for-profit science and technology consulting firm. "It is becoming more heightened because of moving more data electronically."
Weak, nonexistent or unenforced laws; inadequate governmental oversight; rising health care costs; large numbers of uninsured and underinsured patients; and weak procedures for verifying patients' identities fuel the growth in medical identity theft.
"The federal government hasn't stepped up," said Adam Levin, former director of the New Jersey Division of Consumer Affairs and now chairman of Identity Theft 911, which provides information on avoiding identity theft. "It's coming late to the party."
Privacy advocates contend that the move to electronic medical records could further jeopardize patients' privacy. They say the development of EMRs, wireless health information technology and the Nationwide Health Information Network could be a boon for criminals.
"Unless something substantial is done, [the national system for exchanging electronic health data] is going to be an engine to facilitate medical identity theft," said Pam Dixon, executive director of public interest research group World Privacy Forum.
The scale of the threat
The Federal Trade Commission estimates that 8.3 million people were victims of identity theft in 2005. Some 3 percent of them, or about 250,000 people, were victims of medical identity theft.
"The most common thing is to get drugs - OxyContin and other controlled substances," said Alex Johnson, a former FBI fraud investigator who leads the special investigations unit at Regence, a health insurer in the Northwest. For example, a man in Pennsylvania used a stolen identity to obtain more than three dozen prescriptions for Viagra.
In addition to the financial and legal consequences of ruined credit and maxed-out insurance benefits, victims of medical identity theft often are left with corrupted medical histories. Blood types are changed and allergies are added or deleted, for example, which could result in victims receiving ineffective or harmful medical treatments. Adding insult to injury, victims of identity theft are sometimes suspected of being thieves themselves.
Health care facilities tend to be trusting institutions, and medical workers are not always trained to detect fraud. The simple act of requiring patients to show photo IDs is far from the norm. In that environment, medical identity theft is easy to commit.
"The entire system of identification is based on the honor system," said Robert Siciliano, chief executive officer of IDTheftSecurity.com.
If not for the seriousness of the consequences, the brazenness of some thieves would be comical. In one case, a boy seeking medical care used the identity of a 40-year-old woman. "They just don't look at stuff like that," said Heather Wells, a recovery services manager at ID Experts, which helps restore identities corrupted by thieves. " It's definitely going to get worse."
By way of protection, privacy advocates urge consumers to never divulge personal information to unknown parties and regularly check their credit reports and explanation of benefits statements. But until government and industry move to secure medical data, patients' options for limiting their exposure are limited.
"Medical identity theft can only be fully prevented if you haven't been born yet," Siciliano said. "Once you have a medical record and a Social Security number, the cat's out of the bag."
So far, the government offers little help to victims of medical identity theft, and laws lack aggressive enforcement tools. Those that regulate the financial sector give consumers the right to review credit histories, challenge inaccuracies and restore credit scores. But those rights don't exist for victims of medical identity theft.
"This crime falls squarely between gaps in laws [and] gaps in federal agency jurisdiction," Dixon said.
The federal law that deals with the privacy of medical information - the Health Insurance Portability and Accountability Act - can actually impede efforts to clear the wreckage of medical identity theft. HIPAA's privacy provision limits access to information about the health and medical care of individuals, which can include patients' medical records and payment histories. In a perverse twist, health care organizations have denied victims access to parts of their medical records on the grounds that they contain information about other people. In the universe of HIPAA regulations, identity thieves deserve privacy, too.
"Other than enacting the Real ID Act, the government isn't doing enough - or anything effective - to prevent financial identity theft," said Siciliano, referring to a federal law that imposes standards on state driver's licenses. "For medical identity theft, HIPAA was a start, but that's not enough to prevent fraud."
FTC has moved to address medical identity theft in the interest of consumer protection, but its role is limited. In June, the Office of the National Coordinator for Health IT announced that it had contracted with Booz Allen Hamilton to perform an "environmental scan of the medical identity theft problem in the U.S., particularly focusing on the intersection of health IT." The Health and Human Services Department declined to comment on the initiative.
"The sense I get is that [HHS officials] are trying to grapple with all the aspects of the project to bring about the Nationwide Health Information Network," said Burke Kappler, a lawyer in FTC's Division of Privacy and Identity Protection. "This is an evolving problem. We are still trying to identify the contours of the issue."
If the policy aims are unclear, the technology challenges are even fuzzier. On the black market, low-quality personal identities can be bought and sold for pennies apiece. High-quality records that include names, addresses, Social Security numbers, birth and death information, and other sensitive data - the kinds of records health care organizations hold - have a street value of up to $60 each.
Systems used to secure such records don't always incorporate a recognition of their underlying value. Also, health care systems are designed to be relatively easy for medical providers to access.
Identity thieves gravitate toward "the softest targets that yield the highest value," said Gunter Ollmann, chief security strategist at IBM Internet Security Systems. "From a network perspective, the health care industry has always been pretty far behind the financial and retail