If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.
Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.
The definition of medical identity theft is the fraudulent acquisition of someone’s personal information – name, Social Security number, health insurance number -- for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.
[See also: Medical identity theft hits growth phase.]
"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery,” said Pam Dixon, the founder and executive director of World Privacy Forum. “Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities.”
The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans’ medical information. Meanwhile, the law’s emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.
Edward Snowden, the former National Security Agency contractor who has disclosed the agency’s activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.
Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:
- A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn’t even been a patient.
- An identity thief in Missouri used the information of actual people to create false driver’s licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman’s name.
- An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
- A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim’s name.
- A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.
Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. “With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20,” he said.
According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.
“We say encrypt, encrypt, encrypt,” said Rachel Seeger, a spokesman for HHS’s Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.
[See also: Locking down EHRs from medical ID theft.]