Andrew Brooke’s family knew something was screwy when they got a collection notice for unpaid bills for treatment of his work-related back injury, which included large prescriptions of the controlled painkiller Oxycontin.
“I’m looking at this bill, and I’m looking at my 3-week-old baby that can’t even hold his head up, and it’s just a sense of outrage,” said Andrew’s father, John Brooke, of Bothell, Wash., a suburb of Seattle.
Likewise, Jo-Ann Davis knew there was a mistake when a cop greeted her at the pharmacy where she had gone to pick up a prescription in early 2005.
“I’ve never even had a speeding ticket,” said Davis, a veterinary technician from Moon, Pa., near Pittsburgh.
Medical providers, it turned out, thought Andrew and Davis were other people. Their medical identities had been stolen.
These are not isolated incidents: In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005.
Motives for medical identity theft can vary. Some thieves, as in these cases, are seeking controlled medications. Others are seeking federal money. A case that wrapped up in January in Southern California illustrates just how sophisticated such operations can be.
Five health care providers pleaded guilty to stealing more than $900,000 in 2003 by luring hundreds of elderly Vietnamese patients to a fake medical clinic in Milpitas, where they would offer free checkups. According to prosecutors, they would copy the patients’ Medicare records and then use the information to bill the government for phantom services.
Steep costs on money and lives
Of all the forms of identity theft, misappropriation of your medical records is among the most damaging. It’s not just the financial toll — if your medical identity is stolen, erroneous entries can turn up in your records, which could end up killing you.
“If someone shows up in an emergency room and this has happened to them, they could receive improper treatment, and that is a real problem,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group.
For example, if an identity thief presents himself at the hospital in your name and is identified as having a different blood type, that blood type ends up registered in your medical history, with potentially disastrous consequences if you end up in a serious accident.
Or suppose you apply for a new job. Even if you’re fit as a fiddle, you could still fail a pre-employment medical screening or be rejected for company-provided health insurance because of the inaccurate presence of an ailment in your medical history that you don’t have.
It is also the most difficult type of identity theft to fix after the fact, because victims have limited recourse. Dixon found that medical identity theft typically leaves a trail of false information in medical records that can plague victims for years, because even if you manage to correct your records in one place, it’s almost impossible to track down everywhere they have been disseminated across the networks of medical providers, insurers and government agencies.
Too many roadblocks
Five states — California, Florida, Nevada, Arkansas and Delaware — have recently passed or are considering laws to address breaches of medical information, but the privacy forum still recommends that everyone check his or her medical records for accuracy.
Georgetown University’s Center on Medical Rights and Privacy maintains a state-by-state guide to checking your records. But if you find an error, trying to correct it can be a complex and sometimes fruitless task.
The federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires health care providers and insurers to give you access to your medical records and to give you a copy of their privacy practices. If your records are wrong, the act gives providers and insurers as long as 90 days to respond, but if they disagree with you, they don’t have to do anything.
Moreover, HIPAA doesn’t require medical providers and insurers to remove incorrect information; in fact, it says that if incorrect information leads to inappropriate treatment, the bad information should not be removed from your records, in order to preserve a paper trail.
And HIPAA offers little help in resolving disputes. Dixon’s report uses the example of John Doe, who needs to have his appendix removed but discovers that someone who stole his medical identity has already had an appendectomy in his name. The insurance company will reject Doe’s claim, of course, because nobody has two appendectomies.
“For a patient stuck in this type of Catch-22 situation — where no one is willing to or is required to take responsibility for errors that were not the patient’s doing — it may be very difficult for the patient,” the report concludes. “The HIPAA health privacy rule provides no real assistance or remedy. The patient may only be able to ask for the good will, understanding, and cooperation of all concerned.”
Authorities slow to prosecute
Insurance companies are not universally known for their goodwill, so the next step is often legal action. But that can be even more frustrating.
Eleven years after the enactment of HIPAA, only one defendant has ever been brought before a jury, and that didn’t happen until this January, when a Florida man was convicted of conspiracy to defraud the United States, commit computer fraud and aggravated identity theft, and wrongfully disclose private health records.
The man, Fernando Ferrer Jr., 29, and his cousin, Isis Machado, 23, stole the medical information of more than 1,100 patients of the Cleveland Clinic in Weston, Fla., using it to file false claims for Medicare reimbursement totaling more than $7 million.
It was astonishingly simple, court records reveal. Machado would wait for her supervisor to leave for the day so she could copy patients’ records. She would then drive to a gasoline station, where she would sell the copies to Ferrer for $5 to $10 per patient, she admitted in her plea agreement. Investigators found that as many as 11 different medical and health care providers in Miami later used the Medicare numbers in those records to fraudulently bill the government.
Ferrer faces up to 30 years in prison when he is sentenced in late April with Machado, who pleaded guilty to conspiracy to commit computer fraud and identity theft and faces up to five years.
Organized crime increasingly the culprit
So far, most investigations have snared individuals accused of medical identity theft, but the World Privacy Forum notes a disturbing trend — the increasing involvement of organized crime rings, which have been uncovered in California, New York and Florida.
“In the hands of organized crime, false claims are spread out across multiple patients, and the claim amounts are small,” making them harder to detect but no less damaging to innocent victims or expensive for taxpayers, the report said.
The World Privacy Forum report offers these recommendations:
- Individuals’ rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
- Victims of medical identity theft should have the right to receive one free copy of their medical file.
- Individuals should have expanded rights to obtain an accounting of disclosures of health information.
- Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
- A National Health Information Network should be established using comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy.
Until those things happen, medical providers are turning to technology.
Elmhurst and Queens hospitals in Queens, N.Y., for example, have adapted a smart card system that was originally designed to prevent patient confusion. It has issued the cards to thousands of patients, carrying their pictures and coded with abstracts of their medical histories.
Dr. Glenn Martin, Elmhurst Hospital’s director of medical informatics, said the cards merely helped hospital officials ensure that the patient and the history matched, but that could be enough to save millions of dollars.
Lives, too. It may sound simple, Martin said, but the smart cards do help sniff out the cases in which “suddenly you developed the disease of an 80-year-old when you’re actually a 20-year-old female.”