Mar 13 2008   8:26PM GMT

“Medical” Identity Theft – New (to me) and Scary

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald


A recent story in Government Technology magazine educated me on exactly what “medical identity theft” is and what the risks are. Although the article focused on Medicaid and Medicare fraud, the statistics and risks made for scary reading. And it started me thinking about MY medical data.

In a nutshell, medical identity theft involves the use of patient identification numbers and/or physician identification numbers, both used to bill for services and obtain payment.

The FTC estimated, based on overall identity theft statistics, that medical identity theft cases numbered 3 percent of all identity theft cases. That’s about 250,000 cases a year, at a conservative estimate.

The FTC is not responsible for addressing medical identity theft, the Department of Health and Human Services is. Nor is there an ability to use FACTA (Fair Credit Reporting Act) to remove fraudulent medical records.

According to the World Privacy Forum and Blue Cross Blue Shield Association, at least 1 percent of fraud is estimated to be medical identity theft: that’s $600 million per year. Ouch.

For individual patients, the theft of their medical identification numbers presents an even more difficult scenario to resolve than “regular” identity theft. Their medical history gets changed, along with erroneous information about allergies, medications and procedures done. With HIPAA protecting medical records, it is much harder to change the records that list the “bad” information.

And imagine trying to get insurance with a false “pre-existing condition” created by fraud? Not to mention dealing with hospitals and other medical organizations trying to get payment.

Another interesting (and scary) statistic from the WPF:
Cost, on the street, for a stolen Social Security number? $1.
Cost, on the street, for stolen medical ID information? $50.

Medical identity data sitting in our HR databases is more valuable than Social Security numbers. Has it occurred to anyone else besides me that our medical ID numbers are often our Social Security numbers?

Bankrate has noted that since HIPAA has no enforcement mechanism, data security is not a high priority issue for health care facilities. The penalties are there in the legislation, but there is no inspection or reporting mechanism to ensure compliance. We are, in essence, trusting our medical providers and billers to keep our personal information secured.

Given the state of security in the majority of our business networks today, would that give you a warm fuzzy?

Me neither.

Next: “Synthetic” Identity Theft

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Protected Identity
    Medical and Character Identity Theft occurrences are outpacing financial identity theft 3 to 1 and the hospitals are primarily to blame. The lack of hospital policy to validate and verify a patients identity by simple cross-checking (see Red Flag Rules, Section 114 of FACTA) is an epidemic in operation policy stupidity. Although you state that there is no enforcement, HIPPA, FACTA and to a certain extent, GLB all provide enforcement and penalty components aimed directly at the hospital and medical practices and procedures with regard to non-public/personal information of patients and employees. The FTC is enforcing the legislation, the hospitals are blatantly ignoring it, opting to take a "when it happens to us and we get caught" attitude. Once hospitals are fined severely and CEO's start receiving jail time for data breaches, things will start to change. But why wait for them, as a consumer, you should be proactive right now and protect yourself from all forms of identity theft including Medical, Character/Criminal, Financial, SSN and DMV. Consumer education and proactive efforts on an individuals part to protect their identity can no longer be taken with a grain of salt. Medical and character identity theft can kill you! Blatant plug for Scott's company has been removed, but you can still email him if you want more information. AEH
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: