Medical identity theft a growing problem
■ With 1.5 million victims in the U.S., physicians can take a few simple steps to ensure that patients aren't using someone else's name to get care.
One-third of health care organizations, including physician practices, insurers and pharmacies, have reported catching a patient using the identity of someone else to obtain services, according to a report from the professional services firm PwC.
The report, "Old Data Learns New Tricks," by PwC's Health Research Institute, said the problem -- and consequences -- of medical identity theft could get worse as electronic sharing of patient data increases. Physicians unwittingly could end up using information obtained during a visit with an identity thief in deciding how to treat a patient, for example.
Medical identity theft is still a small percentage of the total amount of identity theft that occurs, but it's the fastest-growing segment, said Jim Koenig, director and leader of PwC's identity theft practice.
"The digitization of patient health information is inevitable, and so are the risks of compromising patient privacy," the PwC report states. "As medicine becomes increasingly personalized through greater access to information mined from new data assets, business opportunities are starting to entice all health sectors to engage on a new data-sharing playground. But there are barriers to gaining admission. Among them is the reality that privacy and security safeguards are not keeping pace with the need to increasingly protect personal information from the bullies."
Phil Blank, a senior analyst with Javelin Strategy and Research, which examines incidents of fraud and helps clients respond to them, said 8% of data breach victims in the U.S. had their medical information stolen in 2010. Medical records were the fifth most commonly stolen data. The most common was credit-card numbers.
Blank cited the slow economy and more people losing insurance as drivers behind increasing medical identity theft.
Larry Ponemon, president and founder of the Ponemon Institute, a privacy research center based in Traverse City, Mich., said his research has found nearly half of medical ID thefts are considered "Robin Hood crimes." That means willing or sympathetic "victims" lend their identity to someone else so that person may get needed services.
Of cases that involve unwilling victims, Ponemon said, many are the result of a practice's insiders stealing information to help someone they know.
A report published in March by the Ponemon Institute and sponsored by Experian ProtectMyID, found that roughly 1.5 million Americans are victims of medical ID theft. Of the 1,672 people surveyed for the study, 633 either had been a medical identity theft victim or went through the experience with a close family member. Fourteen percent said the breach occurred at a health care office, and 10% said employees at a health care organization's office had stolen the data.
PwC acknowledged that many times theft comes from inside the office.
"It's a very different threat than the type of security threat that many health care organizations have been building to protect themselves from for years," Koenig said. "You always think of the hackers and the outsiders and the firewalls and not the knowledgeable insider."
PwC's report is not the first time experts have sounded the alarm on the risks of medical identity theft.
Pam Dixon, founder of the World Privacy Forum, said in a 2006 report that "medical identity theft may also harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies and insurance companies." She said the changes to the records could remain in the files for many years.
"Victims of medical identity theft may receive the wrong medical treatment, find their health insurance exhausted, and could become uninsurable for both life and health insurance coverage," Dixon said in the report. One example Dixon cited in her report was a woman who ended up with the wrong blood type in her patient file.
As medical records become more transportable through electronic networks, the problem could be exacerbated as mistakes are disseminated and re-disseminated among physicians, hospitals, pharmacies and insurers, Dixon wrote.
Preventing medical ID theft
PwC said preventing medical identity theft requires a practice to be committed to privacy of patient information, even beyond following federal standards such as HIPAA. For example, PwC said health organizations should "deputize all workers as privacy champions," mainly by giving them privacy training that will show them how to protect information while making them sure enough in their jobs to access information when appropriate.
PwC also recommends that practices "make privacy part of the consumer experience and brand," showing patients the importance to the practice, and to the patients themselves, of keeping their information confidential. As an example, PwC cites BJC HealthCare in St. Louis, which allows patients to view their records online, but only after they give their assent in a face-to-face meeting.
Some health systems have used biometrics, such as fingerprint or eye scanners, as a means of confirming patient identity. But Ponemon said the simple act of checking photo IDs at each patient visit is an effective, yet underutilized, way to authenticate someone's identity.
He said many organizations feel uncomfortable asking for identification because they are so focused on patient confidentiality, or are afraid of offending someone. But he and other security experts say checking the ID -- and keeping a copy of it in the file to be checked at every patient visit -- can help stop fraud before it happens.
For physicians, not catching fraud can have financial as well as clinical implications. In many cases, security experts said, physicians find they can't collect from identity thieves, and insurers will demand payments back from physicians if an identity thief was treated.
Some organizations are starting to train employees on how to detect an imposter through what appears to be simple conversation. Ponemon said the physicians or nurses can pull out a bit of information from the patient's file that the patient should know, such as his or her age or a previous illness, and ask seemingly innocuous questions about it. Physicians also should be on the lookout for red flags in patient files, such as references to procedures they weren't aware the patient received or mismatched patient information.
Experts said they realize medical identity thieves can put physicians in a difficult ethical position. On one hand, physicians don't want to let a medical identity thief get away with a crime. On the other hand, physicians have an ethical obligation to treat the sick. "Perhaps the right thing to do is to treat the medical identity thief if he or she is truly ill, and then contact law enforcement to nab this criminal," Ponemon said.