Our Medical Records: Out of Our Hands

Special Edition - National Consumer Protection Week

February 2007


The problem of medical identity theft looms largely under the public radar, but its effects can be devastating.  Medical identity thieves can rack up hundreds of thousands of dollars worth of fraudulent claims and worse yet, if they seek care under your name, false information can end up in your private medical history.  Pam Dixon of the World Privacy Forum believes the time is now to begin protecting ourselves using lessons learned from the battle against financial identity theft.

In Pennsylvania, a man is billed for $100,000 worth of medical treatment he never received.  In Florida, a woman goes to her doctor and discovers that somebody has altered the blood type listed on her medical file.  Patients in Boston find out they’ve been falsely diagnosed with severe depression and drug addiction so that an area psychiatrist can bill them for false claims.  When they realize how hard it is to clear it from their medical record, they’re irate.

“They can take any of your records that aren’t covered by HIPAA and make them public,” Dixon says.
Horror stories like these routinely come to the attention of Pam Dixon, executive director of the World Privacy Forum.  They’re emblematic of the growing crime of medical identity theft, an issue her privacy and technology research group addressed in a 56-page report last May, and which remains a priority in its educational outreach efforts.

Medical identity theft occurs when a person uses somebody else’s insurance information, social security number or other personal information to obtain health care.  The patient makes a clean getaway, leaving the unsuspecting victim to foot the bill.  Depending on whether or not a victim is billed at their correct mailing address, it can take anywhere from a few months to a few years (typically when unpaid accounts go to collection), for them to discover the fraud. 

Thieves can rack up tens of thousands of dollars worth of medical bills.  Worse yet, they potentially put their victims’ health in jeopardy when their medical history becomes intermingled with the “real patient’s” medical history—changing information about blood type, drug allergies or pre-existing conditions, for example.  The World Privacy forum estimates that anywhere from 250,000 to 500,000 people have been victimized by this crime since 1995.

How does medical identity theft occur?

Medical identity theft can be facilitated a number of ways. Often it starts with the handiwork of an insider—a doctor, nurse or employee of a health provider who passes the information along to an identity thief or a criminal syndicate that specializes in obtaining and re-selling people’s identities. This method has become a well-known practice to police in LA who deal with gangs.  There, a common scenario goes as follows:  the girlfriend of a gang member gets a job at a place where sensitive information is held (such as doctor's' or dentists' offices); she steals the information and passes it on to the gang; the gang in turn sells it to a larger syndicate that specializes in identity theft.  The “inside job” scenario is a major area to crack in the fight against medical identity theft.

Or, medical identity theft can be the result of a data security breach not much different than the high-profile heist of a laptop containing unencrypted information on 26 million veterans, the hacking of the UCLA database, or the mysterious disappearance of a back-up tape containing personal information on 1.2 million credit card customers.

“There’s nowhere for medical identity theft victims to go,” Dixon says. “They just fall through the cracks.”

Many hospitals outsource record-keeping responsibilities to third-party vendors, who store insurance information, social security numbers and other sensitive data on computers located overseas, where privacy protection laws may not be as stringent as they are in the United States. “They can take any of your records that aren’t covered by HIPAA and make them public,” Dixon says.

Few options for victims:

Unfortunately, finding and correcting a thief’s handiwork can be next to impossible. The first problem, according to Dixon, is that patients have no legally mandated right to see their own medical files. Unlike personal credit reports, which must be made available to consumers once a year by federal law, there is no statute or regulation requiring that medical files be made available to respective individuals.

Some hospitals and/or medical providers will grant patients access to their files at a cost, sometimes as much as $1 per page. Given that medical charts can run 250 pages or more, it’s not difficult to see why this isn’t a prudent option for many consumers. “Victims of medical identity theft don’t have as many rights as victims of regular financial identity theft,” Dixon says.

“Victims of medical identity theft don’t have as many rights as victims of regular financial identity theft,” Dixon says.

People who fall prey to financial identity theft also can go to the Federal Trade Commission, and in a growing number of states, the state Attorney General as well, to report the theft, obtain credit freezes, instigate a criminal investigation and begin taking steps to rebuild their identities. But there is no one government agency at the federal or state level that even tracks medical identity theft, and while the Attorney General’s office may prosecute select cases, there has not been the aggressive push needed to bring medical identity thieves to justice. Nor is there any process in place that victims can follow to clear false information from their medical files.

That is what makes medical identity theft so insidious, Dixon says. It’s hidden. And its victims have no way to recover. “There’s nowhere for medical identity theft victims to go,” she says. “They just fall through the cracks.”

There’s little that individuals can do to about the industry-wide trend to outsource medical database operations. But just as citizens demanded more transparency with their financial records to ward off traditional identity theft, we need to push for more legal protections for our medical identities.

The federal government has proposed creating the National Health Information Network (NHIN), a massive database for medical files. While the network has its advantages—allowing patients to manage their own health care records, move the records when they change jobs and share the records with insurers when they buy a policy, an easier path to at least learn of misinformation in their files, for example—it could also provide identity thieves with a single tool through which they could perpetrate widespread medical fraud. 

Given the Federal Trade Commission’s recent successes in investigating and prosecuting companies that expose private financial data to potential thieves, Dixon believes the agency is well prepared to take on the similar task of prosecuting medical identity thieves. As was the case when the nation awakened to the epidemic of financial identity theft, the first step will be giving victims the right to see their own medical records and delete fraudulent information.
   
“For years in the financial sector, private financial information was viewed as a marketing bonanza,” Dixon says. “We just can’t allow that to happen in medicine. The risks are too great.” 

©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.