How to Protect Yourself from Medical Identity Theft
Are Your Health Records at Risk?
Anyone with access to your medical files— hospital workers, even your doctor—can steal your information and sell it to thieves who
run up huge bills in your name. Here's how to protect yourself from this frightening new crime.
By Elizabeth DeVita-Raeburn
Lind Weaver, 57, a horse farmer in Palm Coast, Florida, received a hospital bill for the amputation of her right foot—a surgery she'd never had. Anndorie Sachs, a 28-year-old mother of four from Utah, got a call from a social worker saying that the newborn she'd supposedly just delivered—and abandoned—had tested positive for methamphetamines. Jo-Ann Davis, 41, a veterinary technician from Moon Township, Pennsylvania, was almost arrested for allegedly scamming pharmacies out of painkillers.
All three women were victims of medical identity theft, a fast-growing but little-known crime in which a thief uses a person's name and social-security or health-insurance number to get medical treatment or charge insurance companies for phony services. As many as 500,000 Americans (and possibly more) have had their medical information stolen, according to a recent estimate by the World Privacy Forum, a nonprofit research group that investigates privacy issues. Victims can be left with huge bills for services they never received, along with legal, medical and insurance-fraud issues that can take years to untangle.
"It's a devastating crime," says Judd Rousseau, director of fraud operations for IdentityTheft911, a company that helps victims of medical ID theft. "It's bad enough to have someone use your birth date and social-security number to run up bills in your name. But it's even worse to have them assume your health identity and create false records with the potential to affect your care, particularly in an emergency."
An "Inside Job"
Experts say that anyone with insurance is a potential victim. The crime sometimes begins with a lost or stolen wallet: Jo-Ann Davis left her wallet on top of her car as she pulled out of a gas station in 2004. She immediately canceled her credit cards and replaced her driver's license, but a woman found the wallet and used Davis's identity and insurance card to obtain medical treatment and pain pills, racking up nearly $16,000 in bills. Anndorie Sachs's wallet was stolen out of her car. A pregnant drug addict used Sachs's driver's license as ID at the hospital when she gave birth. As a result, Sachs's medical information was changed to match that of the imposter.
More often than not, however, medical identity theft is an inside job, says Pam Dixon, executive director of the World Privacy Forum and author of a 2006 report about the crime that was recently cited by Congress. Many of these cases involve crooked health-care workers, such as physicians, billing clerks or hospital administrators, who have access to patients' records and their social-security numbers.
In 2006, a front-desk clerk at the Cleveland Clinic Florida in Weston, Florida, gave the insurance information of more than 1,100 patients to her cousin, who used it to submit claims for phony services, collecting close to $2.5 million. Others sell the data on the black market. "We've heard reports of insurance cards being sold in Tijuana and New York City for up to $2,500 a card," says Chris Dorn, director of fraud and recovery solutions at Ingenix, a firm that helps insurance companies prevent and detect medical fraud.
The Best Way to Stay Safe
For victims, the fallout can be severe. Some people go bankrupt, their credit ruined, their businesses lost. Weaver had to fight for years to get the hospital to drop charges for the amputation surgery she'd never had. State agents showed up on Sachs's doorstep and tried to take her kids away. Davis narrowly escaped arrest. "It's very much a case of guilty until proven innocent," says Dixon. "The burden of proof tends to fall on the victim."
Not only that, your medical history and that of the thief can become entwined. "Say you're in a car wreck and you end up in the emergency room, and someone starts searching around in your medical records and finds a diagnosis of diabetes," says Byron Hollis, managing director of the national antifraud department for the Blue Cross Blue Shield Association. In fact, that's what almost happened to Weaver. She doesn't have diabetes, but the woman who impersonated her does. Weaver was able to correct the mistake, but what if she'd been unconscious? "If a doctor gives you insulin when you're not diabetic, the consequences could be deadly," says Hollis.
Fortunately, hospitals and insurers have started to do more to protect patients. After a series of medical identity thefts at the University of Connecticut Health Center in Farmington, administrators started requiring photo IDs at check-in. Other hospitals have reprogrammed their computer systems so that staff members have just enough information to do their jobs—but no access to patients' social-security or insurance numbers.
The government is also putting safeguards in place. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule protects patients' medical records from unauthorized access. Last summer, Senators Edward Kennedy (D-MA) and Patrick Leahy (D-VT) introduced the Health Information Privacy and Security Act of 2007, which would further protect medical information and make it harder for thieves to steal it. Among other things, the act would require that patients be allowed to inspect, correct and make copies of their records.
Most important, patients need to be vigilant about their medical files. "The earlier consumers can spot problems and report them, the easier medical identity theft is to address," says Pennsylvania Attorney General Tom Corbett, who has investigated several cases in his state. "Left unchecked, it can generate a complicated web of bogus bills and false medical information that is very difficult to unravel."
How to Protect Yourself
Keep your personal numbers private. "Think of your health-insurance card as a credit card with a spending limit of a million dollars," says Hollis, referring to the fact that many health-insurance plans put a cap on how much they'll pay for your care over your lifetime. If you don't notice and no one catches it, a thief could spend up to your lifetime maximum. "If you're checking in for an appointment and are asked for your social-security number and address, look to see if anyone is standing behind you, and lower your voice before answering," says Hollis. Also, always shred old insurance statements and cards.
Get an annual copy of your medical records from each of your doctors. According to HIPAA, patients are allowed to review their files on demand. (Your provider may charge you for copies and postage.) Go over them carefully to make sure there are no errors. It may be easier to have your physician read the records with you rather than try to figure out the medical lingo—or bad handwriting!—yourself.
Play detective. If you find an error in your files, ask your health-care provider (such as your hospital or your M.D.) and your insurance company to correct it. But know this: In the course of processing your claim, your records may be sent to insurance companies, pharmacies, labs or to other places. By law, HIPAA requires your insurer to tell you who received the information (with certain exceptions), but it's up to you to track it down and fix the mistakes. "It's important that you get it all," says Dixon. Take the case of Jo-Ann Davis: If she doesn't get every one of her records corrected, she's at risk of being arrested any time she goes to the pharmacy to fill a prescription.
Always open mail from your insurance company. Be sure to read the explanation of benefits (EOB) statements you get whenever your insurer has received a claim. "Check to see that the dates and types of services match your recollection or records," says Hollis. If you spot anything suspicious—whether you owe money or not—call your insurer and your health-care provider immediately.
Request a list of all payments made to you. Criminals may change the billing address and phone number on your records so you won't get EOB statements. Once a year, ask for a list of benefits paid out in your name. If there are any discrepancies, report them immediately.
Check your credit report. Some victims of medical identity theft discovered the crime when they saw collection notices from hospitals, medical labs or health services on their report. Everyone is entitled to a free one annually from each of the three major consumer credit reporting companies. Go to annualcreditreport.com to get yours.
Think You're a Victim of Medical Identity Theft?
Don't panic. Our step-by-step plan will help you clear your name—and your records.
STEP 1: Contact your health provider and your insurer. Ask for a copy of your medical records and work with your provider to correct them. Most insurers have antifraud hotlines staffed by experts who can talk you through what to do. Typically, they will request a new card for you and have a watch put on your old one.
STEP 2: Take detailed notes. Write down the name and contact information of everyone you speak to, as well as the date and what was discussed, in case you need to follow up. Also, make copies of letters and e-mails you send, advises Judd Rousseau, of IdentityTheft911.
STEP 3: Check your credit report. Work to correct any errors.
STEP 4: Notify the police. Medical identity theft is a serious crime, so it's important that you report it to your local police department. Make sure they take an incident report, and request a copy for your files, says Rousseau.
STEP 5: File a complaint with the Federal Trade Commission. The agency will give you a fraud affidavit form to fill out, which you'll need in order to correct your records. This will also help the government keep track of the number of cases.
STEP 6: Ask your insurer and/or health-care provider for a list of the places your medical information has been sent. This includes credit bureaus, medical offices, pharmacies, insurance brokers and so on.
STEP 7: Contact every one of them. Provide copies of the affidavit and police report and ask that your records be cleared of any mistakes.
Get More Help Here
•For questions about medical bills resulting from identity theft: Contact the Federal Trade Commission at 877-IDTHEFT (438-4338).
•If your doctor won't give you your medical records: File a complaint with the Office of Civil Rights at Health and Human Services within 180 days of the incident. They'll review your report and help you get access to your records (http://www.hhs.gov/ocr/hipaa howto.pdf; 866-627-7748).
•For information about state laws governing access to your medical records and the right to correct them: Visit the Web site for the Georgetown University Center on Medical Record Rights and Privacy (hpi.georgetown.edu/privacy/records.html).
Byron Hollis, Managing Director for BCBSA's National Anti-Fraud Department, gave an interview to Fitness Magazine about the dangers of medical identity theft and what consumers can do to protect themselves. The article appeared in the February 2008 issue.
