Medical Identity Theft Discussion – How People Have Discovered They are Victims of Medical Identity Theft World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics

Medical Identity Theft Discussion – How People Have Discovered They are Victims of Medical Identity Theft

Report home Read the report PDF Previous section Next section

How People Have Discovered They are Victims of Medical Identity Theft

Medical identity theft is a crime that hides itself well. It is a form of health care fraud, which, like other kinds of white-collar fraud, is not a self-revealing crime. [72] There is no way today to quantify or even guess at the percentage of victims who actually discover that their medical identities have been used fraudulently. Statistics from the FTC address one aspect of this issue. The 2003 FTC Identity Theft Survey found that 52 percent of victims of financial identity theft discovered the misuse of their personal information “by monitoring the activity in their accounts.” This included examining monthly statements from banks and credit card issuers. The World Privacy Forum did find instances of medical identity theft victims who had “crossover impact” from perpetrators who also opened credit cards in their name, or who ran up large hospital bills that went to collections. These victims may see unusual bank or credit card activity. But the kinds of fraudulent activity that prosecutions have documented suggest that many victims of medical identity theft will not have any unusual bank or credit card activity to alert them of the problem. As a result, victims of this crime should realistically not depend only on traditional “red flags” to alert them to trouble. Based on cases the World Privacy Forum has studied, following are the primary ways victims have discovered medical identity theft.

Collection Notices

There is a pattern in medical identity theft crimes where perpetrators change the billing address and the phone numbers on the medical charts of victims. This is particularly true when a sophisticated ring has taken over a clinic or has stolen the identity of a doctor. [ 73] This creates a layer of insulation for the criminals because bill collectors usually can’t find the victims to alert them to a problem. But some of the “mom and pop” or “one-off” medical identity thieves can be sloppy, and this has led to some victims getting collection notices. This is what happened to a Birmingham, Alabama man. [74] • An acquaintance of the Birmingham victim stole his expired temporary drivers’ license and used it to receive emergency medical treatment in his name at several hospitals. Months later, the victim received a letter from an attorney demanding payment for an anesthesia group. The victim in this case was able to clear his name because an investigative reporter from a TV station helped him break through hospital red tape. The hospital was apparently reluctant to release the medical file to the victim. But the reporter was able to convince the hospital to compare a medical x-ray of the perpetrator’s and the victim’s right hand – which were markedly different, and thus cleared the victim’s name. The victim said his imposter’s activities added up to more than $10,000 in medical bills. • In the Ryan case in Colorado, the victim received multiple collection notices from a hospital for $44,000 worth of services he had not received. On top of that, collection notices appeared on his credit report and created a subsequent drop in his credit score. [75] In Ryan’s case, he did not have insurance, so no insurance information was stolen. Even at that, Ryan’s financial life has been severely impacted by the medical identity theft. In researchers’ most recent discussion with Mr. Ryan, he has noted that his medical identity theft will likely cause him to lose everything “but his dog.” [76]

Credit Report

Consumers whose medical bills go to collections and whose identity information is used to open multiple accounts will see that activity on credit reports. Based on consumer complaints made to the FTC regarding medical identity theft, many of those victims were alerted after seeing a credit report. However, it should be kept in mind that there are likely many more victims who simply did not find out they were victims because the criminals did not open other accounts beyond the medical accounts.

Receipt of Someone Else s Bills

In 2005, a Lufkin, Texas medical identity theft victim received someone else’s medical bills. The bills came to the victim after the perpetrator used the Texas man’s identity to get medical treatment. The victim received the bills after the fact and filed a police report. [77] One woman who complained to the FTC stated that she received a bill for her son for medical lab fees at a hospital when her son had never been to that hospital. These incidents illustrate why its a good idea for consumers to review all bills and notices they receive concerning medical services. If there is a less sophisticated criminal, bills can tip victims off. But this is not something victims can rely on, however. Medical identity theft can be a sophisticated crime with professional operators that typically change billing addresses so this sort of thing doesn’t happen. Because of the high level of the criminal operators, it is more likely that victims will not know that their identities are being used.

Notification by Law Enforcement or an Insurance Company

When a fraud case comes to light, victims associated with those cases may be contacted by an insurance fraud investigator for a private insurance company, or by a member of law enforcement. In one situation like this, parents of teenagers were informed that their childrens’ psychiatrist had altered their childrens’ medical files to include diagnoses of “suicidal ideation” and other serious psychological illnesses that the children did not have.

Notification by a Health Care Provider

It is unusual for victims to be notified of medical identity theft by a health care provider, such as a doctor or a hospital. There have been a few reported cases, though. For example, a hospital near Albuquerque, New Mexico treated a woman for a toothache and prescribed her Oxycodone. When hospital staff called the patient to check on her condition, they discovered that the patient had impersonated her sister, and the sister’s identity information had been used multiple times to obtain medical services and prescription drugs. [78]

Medical Problem at an Emergency Room

The worst-case scenario is that a victim does not learn about medical identity theft, or only learns about it during the course of a medical emergency when obvious medical discrepancies that have been introduced into the medical file by the criminal are discovered. False entries made to the medical file is common in medical identity theft, 79 what may be less common is for victims to find out about the changes. • In a document sent to the FTC, a Florida woman stated that she went to receive medical treatment, and said she discovered that someone impersonating her had caused false entries to be placed in her medical file. The victim was able to catch errors relating to blood type in time. 80

Notification of Data Breach by a Medical Provider

Medical data breaches are serious business, because there is a long and well-substantiated history of criminals using lists of patient names in medical identity theft operations. [81] Criminals who have broken into hospital computers and have stolen patient identities for the purpose of medical identity theft may leave no other trail for victims other than a database breach notification by the breached organization. One Jacksonville Florida consumer who complained in April 2006 to the Federal Trade Commission said that she had received a breach notification from a financial company. Later, a suspect used her name, date of birth, and Social Security Number at a dental office and charged $4,050 worth of services. The suspect also used the consumer’s Social Security Number for $950 of other medical services. [82] Medical files belonging to Oregon and Washington patients were stolen in a health system database breach in December of 2005. A Beaverton resident was quoted in The Oregonian describing a strange experience: after the breach, he received an alert from his identity theft watch service to tell him that someone was trying to reassign his phone number. [83] Changing and reassigning victim’s phone numbers is a trick medical identity thieves have used to keep their victims in the dark about the crime. This man probably did not know about how organized medical identity theft rings operate; in his case, he was fortunate to receive notification. A post-breach check of victims’ credit reports will usually not reveal medical identity theft, particularly if the perpetrator is a professional, as is typical with medical identity theft. Only a proactive check of insurance claims with all relevant insurers will provide the necessary clues to victims.

Denial of Insurance Coverage Notification that Benefits have Run Out or lifetime cap Has Been Reached

Another way victims have discovered medical identity theft is when they apply for medical and/or life insurance and are denied due to diseases reflected by their altered medical charts. In other cases, victims are notified that coverage for legitimate hospital stays are being denied because their benefits have been depleted, or that their lifetime cap has been reached. Sometimes, entire families can be victimized due to “looping.” Looping is a when a medical identity thief victimizes all insured members of the family one after the other, whether the victims are patients or not. After one victim’s benefits run out, the thief turns to the next member of the family until those benefits run out, and so on. [84]

Review of Explanation of Medical Benefits Notices

Some victims discovered medical identity theft when they found mistakes on their explanations of benefits notices. Medicare, Medicaid, and private insurers send these notices. In medical identity theft, the recipients’ addresses may be changed, but when this is not the case, the explanation of benefits notices can be helpful detection tools. In California, a mother checked her mentally ill son’s explanation of benefits to find that Medicare had been billed for more than 70 respiratory treatments, even though her son did not have a respiratory condition. Medicare sent the son notices stating those benefits were paid, which was how this particular case came to light. The doctor in this case, which included other victims, fraudulently billed more than $7.6 million and was convicted of federal charges in 2005. [85] ___________________________________
Endnotes [72] See discussion of this point in Malcolm K. Sparrow, License to Steal: How Fraud Bleeds America’s Health Care System at 120 (Westview Press, 2000). [73] Author interviews with the FBI and Department of Justice. Also see Sparrow pages 132, 133. Also see public records on cases discussed in this report. For example, See Littleton Police Department Inclusive Case Report from January 17, 2006 re: Criminal Impersonation of Joe Ryan. [74] Medical Identity Theft: What’s the Deal? NBC13.com, March 21, 2003. . [75] See Littleton Police Department, Inclusive Case Report,Criminal Impersonation of Joe Ryan, pages 5, 6, and 11 (Jan. 17, 2006). [76] Interview with Joe Ryan, April 2006. [77] 5. The Lufkin Daily News, 15 July 2005, Police Report. [78] Rozanna M. Martinez ,“Ex-Deputy Is Indicted On Charges of Fraud.”, 5 April 2006, Albuquerque Journal. [79] See Jason Kandel, “Medi-Cal Fraud Flourishing on Black Market,” 7 August 2005, Los Angeles Daily News. [80] Comment of L.Weaver in Federal Trade Commission, Identity Theft Victim Assistance Workshop,(Aug. 18, 2000), [81] Interviews with Department of Justice by author.
82 World Privacy Forum FOIA to the Federal Trade Commission. FTC FOIA-2006-00601. [83] Joe Rojas-Burke, “Providence critics push for safer records,” January 27, 2006. The Oregonian, [84] See, e.g.,United States. v. Skodnek. 933 F. Supp. 1108, 1996 U.S. Dist. LEXIS 9788. (D. Mass. 1996.). [85] See U.S. Department of Justice “Doctor and Biller Convicted in Multi-Million Dollar Medicare and Medi-Call Billing Scam,” Press Release, December 23, 2005. < http://www.usdoj.gov/usao/cac/pr2005/176.html >. Roadmap: Medical Identity Theft – The Information Crime that Can Kill You: Part II Discussion – How People Have Discovered They are Victims of Medical Identity Theft

Report home Read the report PDF Previous section Next section

Posted May 3, 2006 in Report: Medical Identity Theft - The Information Crime that Can Kill You Next »Medical Identity Theft: Discussion – Some Dynamics of Medical Identity Theft « PreviousMedical Identity Theft: Discussion – The Human Cost of Medical Identity Theft WPF updates and news CALENDAR EVENTS

WHO Constituency Meeting WPF co-chair

6 October 2022, Virtual

OECD Roundtable WPF expert member and participant Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy

4 October 2022, Paris, France and virtual

OECD Committee on Digital and Economic Policy fall meeting WPF participant

27-28 September 2022, Paris, France and virtual more Recent TweetsWorld Privacy Forum@privacyforum·7 OctExecutive Order On Enhancing Safeguards For United States Signals Intelligence Activities The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/Reply on Twitter 1578431679592427526Retweet on Twitter 1578431679592427526Like on Twitter 1578431679592427526TOP REPORTS National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence... Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974 This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process. COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.