Mitigating Medical Identity Theft

Medical identity theft accounts for 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005, according to the Federal Trade Commission. But what exactly is medical identity theft and why does the World Privacy Forum say it is the most difficult of identity theft crimes to correct?
…Medical identity theft is the inappropriate or unauthorized misrepresentation of individually identifiable health information for the purpose of obtaining access to property or services, which may result in long-lasting harm to an individual interacting with the healthcare continuum.2 It “frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.”
Examples of medical identity theft include situations wherein an individual accesses medical services in another individual’s name to:
Obtain benefits or services for which the individual is not eligible
Obtain services for which the individual will not pay
Perpetrate other fraud or illegal activity (such as erroneous billings or drug-seeking behavior for personal use or illegal distribution)
“The Cascading Effect of Medical Identity Theft,” [below], demonstrates how medical identity theft affects an individual and his or her healthcare from the initial theft to corrupted health records.

Data Breach Reports Up 69 Percent in 2008

Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts.
The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses — an increase from almost 29 percent last year.

Medical ID theft can injure finances, endanger lives

When someone steals your identity, obtains loans in your name and then stiffs the lenders, the effects on your credit report can be devastating. It can take weeks, months or sometimes years as well as plenty of frustration to restore your good name. But there’s another kind of identity theft that not only can ruin your financial health but also endanger your life: medical identity theft.

Medical ID theft occurs when a thief uses someone’s personal information such as health insurance information without the individual’s consent to obtain medical services or goods, or to make false claims for medical services or goods.

Co-defendant in patient-ID theft scheme gets prison term

The co-defendant in an extensive identity-theft scheme that targeted hospital patients was sentenced today to two years and three months in prison. Linda D. Williams was the “inside” person for Richard Yaw Adjei, providing him with detailed personal information about hundreds of people who had their hospital bills processed through a Delaware company where she worked.

Williams, 32, apologized in court. Her defense attorney, Federal Public Defender Edson Bostic said that, at the time of the crimes, Williams was going through hard times and suffering from depression.

But Chief District Judge Gregory M. Sleet dismissed those excuses, noting Williams held a stable job and had a new place to live when she conspired with Adjei, and knew that she was taking the identities of vulnerable people.

Assistant U.S. Attorney Beth Moskow-Schnoll said one victim recalled having to tell her 9-year-old child that she was suffering from a brain tumor and that there would be no Christmas presents that year because she didn’t have her tax-refund money to buy gifts.

{Many believe that electronic health systems will prevent insiders like office clerks from being able to steal information from our medical records. But today no federal laws require our permission before a clerk or a doctor can access our personal health records. Unless Congress makes ironclad consumer privacy control over health information the foundation of the digital health system, criminal identity thefts using data from our health records will massively increase. ~ Dr. Deborah Peel, Patient Privacy Rights}

Trends in Identity Theft

The Federal Trade Commission (FTC) has released its Annual List of Top Consumer Complaints. This year–for the seventh year in a row–Identity Theft is at the top of the list, having garnered 36% of the 674,354 complaints the FTC has received.

The FTC operates a site called Consumer Sentinel, which acts as a repository for consumer fraud complaints and the database source for the report. Technical changes in the counting methodologies make comparisons to previous years difficult, although overall fraud instances appear to be roughly flat from last year.

The most common form of identity theft is credit card fraud, which, fortunately, provides recourse for consumers. Other forms of fraud can impose great burdens on consumers to clear their records, let alone to recover moneys lost.

{Identity theft will skyrocket because this Administration is building an electronic health system with open access to every American’s personal health information by over 4 million health-related businesses and government agencies. Only Congress can stop federal agencies and the Administration from eliminating our Constitutional and common law rights to medical privacy in order to control costs and save lives. We don’t have to choose between privacy and the benefits of health technology. We can have it all: privacy and save lives and lower costs—but only if we use ‘smart’ technology and only if Congress grants Americans a federal right to medical privacy. ~ Dr. Deborah Peel, Patient Privacy Rights}

Databases Called Lax With Personal Information

The Social Security numbers of millions of Americans, including Vice President Cheney and celebrity heiress Paris Hilton, are available to many subscribers of a widely used information database company, U.S. Sen. Charles E. Schumer (D-N.Y.) charged yesterday

Westlaw’s subscribers include government and law-enforcement agencies, law firms, corporations and news-gathering organizations. Westlaw, a division of Thomson Corp., said Social Security information is restricted to government agencies and a small number of corporations that need it, such as insurance companies investigating fraud.

“Fewer than 10 non-government customers have access to this type of information,” the company said in a written statement. “Furthermore, our terms of use restricting access go beyond federal law and current industry standards.”

But Schumer said the information is too easily available to any level of employee, adding that his investigation was prompted by complaints from consumers. He said the company has ignored his requests to restrict access to only those individuals who demonstrate they need the information, such as law-enforcement officers.

Schumer’s concerns add to a controversy over companies that buy and sell such data with little oversight to protect personal information.

Yesterday, Senate Judiciary Committee Chairman Arlen Specter (R-Pa.) said the panel would hold a hearing in response to the recent theft of Social Security numbers and other financial data of more than 100,000 people from ChoicePoint Inc., a Georgia-based database firm.

After setting up accounts with the company, identity thieves were able to gather information on at least 145,000 individuals.

“It’s time to turn some sunshine on these developments so the public can understand how and why their personal information is being used,” said Sen. Patrick J. Leahy (D-Vt.) in requesting hearings.

In the House, Rep. Joe Barton (R-Tex.), head of the Energy and Commerce Committee, has directed his staff to investigate the storage and security practices of database companies.

Schumer said comprehensive legislation is needed in an area that is largely unregulated at the federal level and governed by a patchwork of sometimes-conflicting state laws.

California, for example, requires companies to report breaches of their systems that result in exposure of personal data, a law that prompted disclosure of the theft at ChoicePoint.

Sen. Dianne Feinstein (D-Calif.) has proposed a similar federal law, which has been opposed by many technology and database companies.

In a news conference, at which were shown reproductions of Web pages displaying personal data of famous people, Schumer detailed how his staff was able to quickly retrieve Social Security numbers and addresses of former attorney general John D. Ashcroft, former homeland security secretary Tom Ridge, executives of Westlaw and others.

They tried President Bush, Schumer said, but his address came up as 1400 Pennsylvania Ave., instead of the White House’s address of 1600 Pennsylvania Ave.

“Westlaw’s service could be entitled ‘Identity Theft for Dummies,'” Schumer said. “To my mind, what bank robbery was to the Depression era, identity theft is to the information age. Everyone’s susceptible.”

In a written statement, Thomson West, the firm that operates Westlaw, said it shares Schumer’s concerns about privacy and identity theft. But the company denied the senator’s claims that it has been unresponsive to his inquiries.

Researchers at The Washington Post, a Westlaw subscriber, sought to replicate Schumer’s exercise and found that only the first five digits of an individual’s Social Security number were displayed.

But a Schumer spokesman said that a researcher at a major corporation not involved in credit checks or other investigations was able to get the complete numbers.

A spokesman for LexisNexis, a Westlaw competitor, said law-enforcement agencies, insurance and financial institutions can also get full Social Security data through LexisNexis’s service. But even if a potential customer is in the right industry, he said, they are screened to ensure they are legitimate.

Privacy experts say that in addition to raising questions about how well personal information is protected, the disclosures indicate an extreme overuse of Social Security numbers for identification.

“It has become the default identifier” for many commercial businesses, banks and Web sites, said Ari Schwartz, associate director of the Center for Democracy and Technology, a Washington group that studies digital rights and privacy issues.

When personal information is compromised, a Social Security number can be used as a tool for identity theft.

Many privacy advocates have urged businesses to create unique identification numbers for customers to use.

“The reliance on the Social Security number has created a false sense of security for businesses and a source of vulnerability for consumers,” Schwartz said.

© 2005 The Washington Post Company