The Rise of Medical
Identity Theft
When thieves take your
personal data to get prescription drugs, doctor care, or surgery, it can
endanger your health and trash your finances
By Michelle Andrews
August 25, 2016
It began like an ordinary purse snatching. The credit card
reader on the gas pump at her Houston neighborhood station wasn’t working, so
Deborah Ford went inside to pay. By the time she returned to the car, her purse
and wallet were gone. Ford filed a police report, canceled credit cards, and
requested a new driver’s license and health insurance card. She checked with
the bank several times to be sure nothing was funny, then forgot about it.
Two years later, the retired postal worker
received an unsettling call from a bail bondsman; she was about to be arrested
for acquiring more than 1,700 prescription opioid
painkiller pills through area pharmacies.
“I had my mug shot taken, my fingerprints
taken,” she says. Ford suffers from psoriasis,
and she was so stressed that she broke out in the signature rash. “The policemen
looked at my hands and said, ‘That’s what drug users’ hands look like.’ They
just assumed I was guilty.”
Later, a judge dismissed the charges. “What
saved me from going to jail was that I had filed that police report,” Ford
says.
Turns out the thief altered Ford’s driver’s
license and used that and her stolen health insurance card
to go to doctors to seek prescription painkillers. Eventually, Ford says, a
pharmacist became suspicious and called police.
“Boy, the thieves messed me up,” Ford says now
of her lengthy and expensive ordeal, which began with the theft in 2008 and
didn’t end until she got her name cleared of the arrest record last year. “Once
they’ve got your identity, they’ve got you,” she says.
Inside Medical Identity Theft
Ford’s story is but one glimpse of what
medical identity theft can look like these days and why it has become a
fast-growing strain of identity theft, with an estimated 2.3 million cases identified
in 2014, a number that’s up almost 22 percent from the year before.
Your personal health insurance information,
including your Social Security
number, address, and email address, is valuable and vulnerable. When
it gets into the wrong hands it can be used to steal expensive medical
services—even surgeries—and prescription
drugs or to procure medical devices or equipment such as
wheelchairs.
Your medical identity is a commodity that can
be hijacked and used to falsify insurance claims or to fraudulently acquire
government benefits such as Medicare or
Medicaid. Your personal medical information may also be sold on the black
market, where it can be used to create entirely new medical identities based on
your data.
And more often than you might imagine, people
outright share their own medical coverage with an uninsured friend or family
member in need of care, which is against the law. (More on that later.)
Because current consumer protections aren’t
specifically designed for medical identity theft, experts warn, people need to
understand that they may have to take on extensive work to clear up fraudulent
bills. Some frustrated victims of medical identity theft simply give up and pay
the bills themselves.
But there’s another, far more dangerous
problem with medical identity theft: The thief’s own medical treatment,
history, and diagnoses can get mixed up with your own electronic health
records—potentially tainting and complicating your care for years to come. And
that isn’t a hypothetical problem.
“About 20 percent of victims have told us that
they got the wrong diagnosis or
treatment, or that their care was delayed because there was confusion about
what was true in their records due to the identity theft,” says Ann Patterson,
a senior vice president of the Medical Identity Fraud Alliance (MIFA), a group
of several dozen healthcare organizations and businesses working to reduce the
crime and its negative effects.
Havoc in Victims' Lives
The long tail on medical identity theft can
create havoc in victims’ lives. Take Anndorie Cromar’s experience. A pregnant
woman reportedly used Cromar’s medical identity to pay for maternity care at
a nearby hospital in Utah.
Soon, officials from child protective services
assumed the infant—born with drugs in her system—was Cromar’s baby, and Cromar
says the state, not realizing her medical identity had been hijacked,
threatened to take her own four children away.
A DNA test she took helped to get her name off
of the infant’s birth certificate, she says, but it took years to get her
medical records corrected.
“That first stage was the most terrifying
thing I’ve ever experienced in my life, getting the call from CPS and having
them say, ‘We are coming to take your kids,’ ” Cromar told Consumer Reports.
An Insidious Kind of Fraud
Financial identity
theft is nothing new: Perhaps you or someone you know has had
to deal with undoing the mess that happens when someone illegally obtains your
personal financial information and uses it to drain your bank account or
rack up charges on credit cards fraudulently
taken out in your name.
Setting credit accounts back to normal can be
a hassle, but your money is, for the most part, protected under the Fair Credit
Billing Act. You’re liable for only $50, at most, of unauthorized charges on a credit cardif
you follow simple notification steps. And there are defined reimbursement rules if money is illegally withdrawn with
a stolen ATM or debit card.
But when consumers become victims of medical
identity fraud, stopping the damage and clearing up the bills is much more
difficult and time consuming.
Deborah Ford had to quickly figure out what
had been done in her name and try to undo the damage. She got on the phone and
wrote letters and even tried to track down doctors the criminal had used. “All
I have is my name, my integrity,” she says.
Investigators later told her that the thieves
were savvy at knowing the system, always waiting 45 days between trips to the
same pharmacy to avoid being identified by store video. “They were so slick
about it,” Ford says. ‘To this day, I don’t know who they were. But they were
slick, that’s for sure.”
Spotting It, Preventing it
Experts say detecting the fraud in the first
place can be the most difficult part. “Medical identify theft and fraud is much
harder to spot than financial fraud,” says Michelle De Mooy, acting director of
the Privacy & Data Project at the nonprofit Center for Democracy &
Technology. “The bank calls you if they see charges in the system that raise an
alarm. This kind of fraud is much easier to hide for a longer time.”
That’s why consumers need to be especially
smart and careful about how and when they share their personal, medical, and
insurance information.
Here are a few basic ways you can safeguard
your medical privacy and identity: Read those explanation of benefits letters
as if they were bank statements. Carefully check all of the correspondence you
receive from health insurers and healthcare providers for accuracy and for
bills of service that you don’t recognize. Also review your credit reports for
unfamiliar debts. Be stingy with your personal health information, Social
Security card, and insurance cards. If someone asks for them, inquire whether
it is really necessary.
And don’t post news of an upcoming surgery on Facebook or
other social media outlets, Patterson recommends. You can’t really be sure who
might see it. Consider, for example, that a criminal could scoop up the notice
of your impending hip replacement and
add it to other information he or she can easily find about you online,
creating a more robust, more exploitable personal profile. As Eva Velasquez,
president and CEO of the ITRC, says, “Our rule of thumb is if it’s not
something you’d want plastered on a billboard, don’t post it. Because
essentially every single thing you post has that potential.”
All in the Family
Ronnie Bogle, a museum supervisor from San
Jose, Calif., says that for more than a decade, he had no idea that his brother
Gary had been stealing his identity to secure healthcare across several states.
Gary had a simple routine, Ronnie says: He
would move to a new town or city, purchase a picture ID, then present the ID—along
with Ronnie’s Social Security number—to get treatment, often at hospitals. Gary
often claimed to be uninsured when he sought care. After he was treated, the
bills were later sent to his given address, not Ronnie’s.
Ronnie told Consumer Reports that he only
learned what Gary was up to in 2010 after applying for a new credit card and
being turned down. He says his credit report contained listing after listing of
unpaid debt—for his brother’s hospital visits and treatments over the years.
Eventually, Gary was arrested and pleaded
guilty to 10 counts of criminal impersonation in California. He’s facing more
charges in Washington state for allegedly stealing his brother’s identity
there.
It has taken two years for Ronnie Bogle to
straighten out his credit and get his brother’s medical bills off his financial
record. “He destroyed my credit history multiple times,” Ronnie says.
So-Called Friendly Fraud
Sometimes victims of medical identity theft
know exactly how the crime occurred, but for others it remains a mystery.
The Ponemon Institute, a private cybersecurity
research firm, surveyed 1,005 people whose medical identity was “most likely”
assumed by someone else. In the study, published last year, 10 percent of
victims said their event was the result of a healthcare provider or insurer
data breach, and an additional 12 percent believe they were tricked into giving
up personal information via a fake email or phony website.
But 47 percent of respondents said that their
identity theft was perpetrated by a relative or someone else they knew.
Twenty-four percent said they had a situation like Bogle’s, where a relative
stole their identity without their knowledge or consent. And surprisingly, an
additional 23 percent of respondents said they willingly shared their
credentials with someone they knew. That’s why the crime sometimes is referred
to as “friendly fraud.”
Of those who said they shared healthcare
credentials in that way, 91 percent reported that it was because the other
person had no health insurance and 86 percent said it was because the other
person couldn’t afford medical treatment. Sixty-five percent said it was done
in an emergency.
Most of the people who voluntarily let someone
they know use their medical information said they didn’t consider their actions
wrong or criminal.
“They think of it as a Robin Hood crime—that
no one is getting hurt and that if a family member is ill, they can help them,”
says Larry Ponemon, chairman of the Ponemon Institute.
“Those in our studies who did recognize it as
a crime saw it as minor, like driving 5 miles above the speed limit. They don’t
recognize the cost burden to insurance companies or healthcare providers, or
that it ultimately ends up in the lap of consumers.”
Knowingly allowing a friend or relative to use
your medical insurance is illegal, an act of fraud against insurance companies
and health providers. And wrongfully sharing Medicare or Medicaid benefits is a
crime against the federal government and state programs.
Pinpointing how much money fraud costs the
medical industry each year is difficult. One estimate from 2012 put the total
economic impact of medical identity theft in the U.S. at $41.3 billion.
Providers are working on new strategies to
prevent it. They’re using software to detect fraud in billing, training staff
and consumers to recognize warning signs and asking for photo IDs, explains
James Quiggle of the Coalition Against Insurance Fraud. He says consumers can
expect to see more extensive verification screening in the future, such as the
use of fingerprints or palm prints. And soon Medicare cards will no longer bear
Social Security numbers.
A Dramatic Rise in the Crime
As recently as six years ago, your medical
information was kept in paper files, but now it has a more robust virtual
life—in electronic health records and in details you share online. All of that
can increase the likelihood that the wrong people could gain access to your
data.
“Now there’s electronic data traveling through
all kinds of devices and networks, and it’s much harder to lock it down,”
Patterson says.
Big data breaches in
the medical care industry have been on the rise over the past decade, including
the hack of health insurer Anthem in
2015, when about 70 million of its records were reportedly stolen. And yet it’s
still unclear how often medical identity fraud stems from those kinds of hacks,
Patterson explains.
Most at Risk for Medical Identity Theft
What industry analysts do know is that some
people are more likely to become targets, including people on Medicare. “That
Social Security number on the card is a gateway, not just to medical fraud but
to all kinds of fraud,” Patterson notes.
Older adults might also be more susceptible to scams because
they tend to be less circumspect about giving up personal health information,
she adds. Children’s health records are aggressively pursued by criminals, it
turns out, because a minor’s credit report—which would list unpaid debts—isn’t
usually seen by parents until a child is old enough to secure credit in his or
her name.
Also particularly vulnerable to medical
identity theft, says Pam Dixon, executive director of the nonprofit World
Privacy Forum, are new mothers, surgery patients,
and people with chronic conditions such as diabetes or
serious illnesses such as cancer.
That’s because the more interaction you have with the healthcare system, the
more opportunity for records to be breached.
Anyone who casually puts a lot of personal
information on social media sites and apps, such as millennials,
might attract medical identity thieves, too. Criminals, Patterson explains, are
“very good at aggregating social media information and pairing it with health
and other data they’ve gotten, like dates of birth and addresses.”
The Chaos in Care
The effects of medical identity theft can be
far-reaching, costing victims time, money, and aggravation. A 2016 report from
Javelin Strategy & Research found that, on average, identity fraud victims
spent only $55 out of pocket to resolve financial account problems in 2015.
But 65 percent of the medical identity theft
victims surveyed by Ponemon said they spent an average of $13,500 to pay the
healthcare bills run up in their name, to recover their health insurance, and
to pay lawyer’s fees, among other things. Ponemon also found that it took an
average of more than three months for victims to even detect the fraud and more
than 200 hours to undo the mess.
Mary Levine of Lake Charles, Louisiana, says
she has been logging time on the telephone with the police, hospitals, doctors,
and Medicaid almost every day since she learned in mid-June that someone had
racked up some $20,000 in fraudulent medical bills using her identity. Although
Levine is working closely with the nonprofit ITRC and her local sheriff's
department, the bills continue to arrive, and her worries are mounting.
"I keep telling the hospital that I've
never been there," says Levine. "I've been calling nonstop. They just
say they have not clarified anything at all and they'll call me whenever they
make a decision."
There’s much more to do to safeguard consumers
from medical identity theft, experts say, including creating a defined process
for resolving medical and financial problems.
But, says Orly Avitzur,
M.D., M.B.A., Consumer Reports’ medical director, one thing that healthcare
experts don’t want is to completely lock up our medical data. “It’s important
for doctors to be able to share your health needs, diagnoses, and treatment
information with each other, and to do so quickly in the event of an emergency,”
she says.
Be Ever-Vigilant
Deborah Ford’s encounter with medical identity
theft may have been extreme, but the way she handled it was impressive. Once
she found out about the fraud, she got on it—alerting every entity involved—
and stayed on it until it was over.
“They never used my credit card or checking account;
I checked. But lo and behold, they did more than that. They got what they
wanted—my insurance information,” she says.
Still, it cost her $1,500 in fees and took
five more years to expunge the drug arrest. On that day, Ford says, “I got my
name back.”
