Healthcare fraud is costing American taxpayers up to $234 billion annually, based on estimates from the FBI. It’s no wonder that a stolen medical identity has a $50 street value, according to the World Privacy Forum – whereas a stolen social security number, on the other hand, only sells for $1.
One form of healthcare fraud, known as medical identity theft, has its own staggering statistics: 1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. The report estimates the annual economic impact of medical identity theft to be $30.9 billion.
Medical identity theft occurs when a person uses someone else’s medical record to obtain medical goods or services or to bill for medical goods and services that the patient did not receive. Thieves will also use a person’s social security number to obtain medical services or health insurance.
The harm medical identity theft causes patients
With its serious health risks, medical identity theft is far more dangerous than the more well-known consumer or financial identity theft. When a victim’s records are merged with a thief using the same identity, for instance, that record becomes “polluted,” and the victim may be denied treatment or be misdiagnosed based on this inaccurate information. In addition, patients may be denied life insurance or billed for services not rendered. A few real-world examples illustrate the dangers:
- In Oregon, a pregnant woman delivered a baby addicted to crack using another woman’s social security number—and then abandoned the baby. Police arrested the victim and put her children into protective custody.
- A hospital’s billing department notified a pregnant woman in Washington that someone had used her social security number to be treated for a crack overdose at the ER of the same facility where she was about to deliver her baby.
- A patient in Texas used a California man’s medical identity to obtain radiation treatment and other care. When the thief’s records and the patient’s records merge, healthcare providers will think the patient has a condition he doesn’t have.
- One woman used her sister’s medical ID to receive treatment for a serious sports injury. When chronic problems arose, she was denied coverage for further treatment because there was no record of her initial treatment.
- Another woman couldn’t get physical therapy following neck surgery because a Miami clinic that she had never visited claimed her insurance benefits had been maxed out.
- A teenager was denied the opportunity to give blood because the Red Cross flagged her social security number as belonging to a person who had tested positive for HIV. Another person had used her social security number at a free AIDS clinic in another state, and the clinic did not ask for physical copies of identification.
Data breaches — A major source of medical I.D. theft
Whether caused by theft, loss, human error, or hacking, data breaches put patient data at risk for medical identity theft. The number of healthcare data breaches has risen dramatically, increasing the likelihood for medical identity theft; in 2011, more than 18 million patients were listed on the HHS’ “Wall of Shame” as having their protected health information (PHI) breached. Tighter privacy laws, increased scrutiny from the HHS’ Office for Civil Rights (OCR), and the potential for costly fines make medical identity theft a problem for all healthcare organizations.
Three tips for protecting patient data
Preparation is the best defense for mitigating the chances of a data breach and the costly consequences of medical identity theft. To start preparing now, we recommend that healthcare organizations:
- Take an inventory of PHI/PII. An inventory provides a complete accounting of every element of personally identifiable information (PII) and PHI that an organization holds, in either paper or electronic format. It helps determine how an organization collects, uses, stores and disposes of its PHI. By revealing the risks for a data breach, a PHI inventory helps an organization protect PHI data and best plan for a response based on real information.
- Develop an Incident Response Plan (IRP). An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents. The IRP designates roles and provides guidelines for the response team's responsibilities and actions.
- Review contracts and agreements with business associates. Business associates are a growing cause of data breaches. These contracts authorize and define business associates' use of the PHI they share with healthcare providers. Keeping these contracts up-to-date demonstrates compliance to regulators and helps maintain consistency in how PHI is managed in a healthcare ecosystem.
With its combined financial and health risks, medical identity theft has greater consequences for victims than more traditional forms of identity theft. Healthcare organizations, therefore, have a greater obligation to step up their privacy and security efforts to safeguard their patients’ health information. Protecting a patient’s physical – and financial – well being is, after all, the best form of caring.
Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).
Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.