Is Medical Identity Theft Really a Problem?

Many people, even those of us that are professionally in the privacy and fraud communities, haven’t even heard about medical identity theft. And certainly many give little thought to the risks that it presents to consumers. Is it really a problem, or is concern about it overblown? A Wall Street Journal article titled “How Identity Theft Sticks you with Hospital Bills” (Aug. 7, 2015) speaks to this growing threat and the potential harms that your customers and patients face from medical ID theft.

Medical identity theft today is where more conventional types of financial identity theft were about a decade ago. It represents a small but impending threat to U.S. consumers that is based on how hackers, many of whom today are nation-states or offshore organized crime, are focusing their gunsites on health data as the next motherlode for monetizing stolen personal information.

While only 2.3 million adult patients in the U.S. were affected by medical identity theft in 2014 (Ponemon Institute, 2015), a relatively small group of folks, this number has been growing around 65% annually, and is set to explode in the coming years due to the extraordinary number individuals whose health information has been exposed by data breaches in recent months, 80 million alone by the breach at Anthem Inc., a major U.S. health insurer.

As noted in the Journal article, “‘Identity theft is pervasive throughout health care,’ says Gary Cantrell, deputy inspector general for investigations at HHS’s Office of Inspector General. “‘We see it as a growing concern.’ ”

So it would appear that the “trajectory” for medical identity theft victims is definitely up and to the right. The number is growing and likely to grow faster in the coming years. But does this really create a problem for consumers? Does medical ID theft really cause us any problems? Isn’t it just an issue for the insurance payers who may pay fraudulent claims? In most cases, there isn’t any financial harm to a medical ID theft victim, is there?

Well, in fact, medical identity theft is more insidious and more threatening to consumers than almost any other type of identity theft. It can harm a consumer financially, it can take a massive amount of time and effort to repair, and maybe most seriously, it can be life-threatening. Why is that?

Well first, people using your health insurance information to get medical services can “pollute” your electronic health records. From the Journal, “ ‘Medical identity theft is a big issue,’ says Linda Reed, Atlantic’s [Atlantic Health System Inc. of Morristown, N.J.] chief information officer. “They steal your medical identity and have a procedure or treatment done, and it’s fused with your records.’ ”

Maybe the most obvious impact of such activity is that it creates inaccuracies in your medical records, and that when you seek medical services in the future, your doctor may rely on these inaccuracies and provide you with improper treatment regimens. That is where the “life-threatening” part comes into play.

But medical identity theft can also hurt you financially as well. Look at the case of Mr. Meniners noted in the Journal article.

“Kathleen Meiners was puzzled when a note arrived last year thanking her son Bill for visiting Centerpoint Medical Center in Independence, Mo. Soon, bills arrived from the hospital for a leg-injury treatment. Someone had stolen Bill Meiners’s Social Security and medical-identification numbers, using them to get care in his name….She began early last year with a call to the Centerpoint medical center, which she says promised to clear the fraudulently billed January 2014 leg-injury treatment. But in November, the center’s radiologists turned her son’s case over to collections, seeking $25. This year, the emergency-room physicians sent a bill for $462. And the hospital, she says, wanted her to pay a bill of about $300.”

While it may sound like it should be simple, clearing up an erroneous billing situation with a healthcare provider can be very complicated, time-consuming, and ultimately unsuccessful. Proving that the services were provided to someone else that stole your personal information is a bit of a Catch-22. While it may be your medical file, because of HIPAA laws, you don’t have access to information that effectively is not yours.

And of course, medical identity theft can cause great financial harm to the healthcare industry. Which indirectly affects all of us with higher medical insurance premiums and healthcare provider fee schedules.

Again, from the Journal. “Sometimes, health-care providers are the perpetrators. Federal prosecutors charged Dr. Kenneth Johnson with using Manor Medical Imaging, a Glendale, Calif., clinic, to write prescriptions for drugs and then sell them on the black market...Benjamin Barron, an assistant U.S. attorney in the district [U.S. District Court for the Central District of California], says one victim found out about the scam when he was unable to get his legitimate prescriptions filled. ‘His entire medical benefits were looted,’ Mr. Barron says.”

In situations like this, the health insurance payers are defrauded, driving up their costs, and the consumers that are victimized have problems then getting legitimate medical services properly reimbursed.

So based on all of this, I would conclude that yes, in fact, medical identity theft really is a problem. And the problem is growing rapidly and likely to be something that we are all aware of before too long.

For those of us in the privacy, compliance, information security, and risk communities, we are likely to become much more closely acquainted with medical identity theft in the coming years. As the bad guys continue to target health data, history tells us that they will have some level of success in breaching our defenses. And when this happens, we need to ask ourselves how we can best protect the affected patients/members/consumers from the harms of medical identity theft.

We have seen the insidious challenges for consumers of medical identity theft coming for several years now, and have noted the dearth of solutions out there to help the affected victims. That is why we created the MIDAS medical identity monitoring solution. While it is the only consumer-facing solution for addressing the risks of medical ID theft on the market today, we hope that it will usher in a new class of products and services that will help consumers in dealing with the thorny issues of medical identity theft.