Medical Identity Theft: A Big Deal or Much Ado about Nothing?

The number of Americans whose healthcare information has been disclosed in data breaches—140,000,000 in the past few years, nearly half of all Americans—is enough to make anyone feel slightly ill. Yet only a percentage have fallen victim to actual medical identity theft, 2.3 million adult patients in 2014, according to the latest Ponemon Institute study on this topic.

So this poses an important question: Is medical identity theft that big of a deal?

According to a recent New York Times article, aptly named “Stolen Consumer Data Is a Smaller Problem Than It Seems,” the answer is no—at least for identity theft in general. While the author admits to the horrors of identity theft, he says “consumers are almost never on the hook for financial losses in these sorts of episodes, which, by the way, have also been on the decline.”

In fact, he writes, “This relatively sanguine picture of the impact of data breaches is an example of a threat that looks worse than it turns out to be. The sheer size of hackings shocks and startles when the attacks are first reported, but it’s rare that journalists check on the actual consequences.”

The picture is not so sanguine for victims of medical identity theft. The number of victims has nearly doubled in five years, according to Ponemon, and the health consequences of this crime will never be cured with credit monitoring, the traditional SOP of comfort offered to victims. And privacy laws, which in some cases appear to protect the thief more than the patient, can cause the problem to drag on for years.

A recent article from the Wall Street Journal highlighted the havoc medical identity theft can have on its victims:

• A man with Down syndrome was billed for a leg-injury treatment that he never received. In addition, his health record was contaminated with the thief’s medical information, including a drug allergy he didn’t have.
• An undocumented immigrant used somebody else’s name to get a liver transplant.
• A retired Florida woman with two feet was billed for an amputated foot.
• A man was unable to fill his legitimate prescriptions because his medical benefits had been “looted.”

Who’s Sounding the Alarm?

The NYT article goes on to compare the security firms that provide statistics on identity fraud and online attacks “to the soap company that advertises how many different types of bacteria are on a subway pole without mentioning how unlikely it is that any of those bacteria would make you sick.”

This harsh criticism is not without cause; nonetheless, the problem is very real. The government itself is visibly concerned about medical identity theft. Gary Cantrell, the deputy inspector general for investigations at HHS’s Office of Inspector General said in the Wall Street Journal article: “Identity theft is pervasive throughout health care,” he said. “We see it as a growing concern.”

And in April, President Barack Obama signed a bill, that according to the Wall Street Journal, “requires HHS to issue Medicare cards that don’t display, code or embed Social Security numbers.”

On the state level, Nevada, Oregon, Rhode Island and Connecticut recently updated their consumer notification laws to expand their definition of sensitive personal data to include protected health information (PHI).

We can only hope that healthcare organizations and the government continue to prioritize medical identity theft. Because for the ever-growing number of Americans whose health is at risk from improper disclosure of their information, medical identity theft is a very big deal, indeed.

Next in this series, we’ll discuss how data breaches are turning patients into victims of medical identity theft.

Over 140,000,000 Americans’ Health Information Disclosed in Data Breaches