The theft of Personally Identifiable Information (PII) from major retailers, financial institutions and the Federal Government has impacted large segments of the population and made headline news. More insidious and with profound consequences for patients, insurance and health care providers, is the theft of medical data.
This Privacy Tip focuses on basic facts about medical identity theft and ways you can protect yourself. Please note that the subject of medical privacy is complex. It is guided by Health Insurance Portability and Accountability Act (HIPAA), U.S. Department of Health and Human Services, and state laws.
What is medical identity theft? Medical identity theft occurs when someone steals your medical data (also known as PII), such as your name, Social Security Number (SSN), and/or medical insurance identity number to obtain medical goods or services, or to fraudulently submit billings to Medicare or private health care insurers. Medical data may also include your medical diagnoses, health insurance information, and medical history. Medical identity theft can disrupt your life, damage your credit rating, and be life threatening if the wrong information is posted to your personal medical record.
How big is the problem? According to the Identity Theft Resource Center, health care has been the most common area for data breaches in the past three years. Medical identity theft was up about 21 percent between 2013 and 2014 and last year, about 2.3 million Americans were victims. In the Fifth Annual Study on Medical Identity Theft by the Ponemon Institute, 10 percent of medical identity theft victims experienced misdiagnosis because of fraud related errors in their medical records and 11 percent of victims faced treatment delays. In the same study, 45 percent of survey respondents reported that medical identity theft affected their reputation mainly because of embarrassment due to disclosure of sensitive personal health conditions. Additionally, nineteen percent of respondents believe that because such theft resulted in fraudulent or disclosure of sensitive information, they were excluded from a career opportunity; three percent say it resulted in the loss of employment.
How is medical data stolen? For many years, the primary cause of medical identity theft was through the loss or theft of computers. In 2014, the leading cause was attributed to cyber-attacks. Medical identity theft may also be the result of an employee who is authorized access to medical data but removes or uses the data for fraudulent purposes.
What do thieves do with your medical data? Thieves know there is a significant market of uninsured or underinsured individuals willing to pay for bootlegged medical data. As an example, health insurance information on the black market sells for $60 – $70 as opposed to a dollar for a credit card number. Medical data can be used to obtain government or private health care, prescription medicines, and/or medical equipment. Thieves can also combine a patient number with a false health provider number and file bogus claims with insurers. Because medical identity theft is often not immediately identified, fraud can continue over a long period of time. The Ponemon Institute study cited that the average victim didn’t find out about the ID theft until three months after it happened.
Additionally, since most medical data includes the SSN and other non-medical PII, thieves may commit financial account fraud, making charges, and/or depleting active credit or bank accounts. Thieves may open new credit card accounts in the victim's name. When thieves use the cards and do not pay the bills, the delinquent accounts appear on their victim's credit report. The thieves may change the billing address for a credit card so that the victim no longer receives bills, and then run up charges on the account. It may be some time before the victim realizes there's a problem because the bills are being sent to a different address.
How do you minimize the risk of medical identity fraud? The following are best practices gleaned from a variety of recognized sources.
• Before providing your SSN or any PII, understand how the information will be used and shared.
•Use a cross-cut shredder to dispose of all documents with PII.
• Review your credit report each quarter.
• Request a list of benefits paid in your name from your health provider, each year.
• Place outgoing mail in collection boxes (not mailbox) or the U.S. Post Office.
• Keep firewall, virus, and spyware software programs up to date.
• Password protect all files containing PII using a strong password of 8 characters or more containing capital letters, numeric, and special characters.
• Never use PII (e.g., names of children/spouse) as answers to your security questions for online accounts.
• Review bank and credit card statements carefully.
• Never open internet links you are not familiar with.
• Don’t give out PII on the phone or in an email unless you initiated the contact.
• Consider using a medical identity monitoring service that alert you whenever there is a health care transaction on your account.
• Minimize posting PII to social media accounts and follow strict privacy protocols.
How do you know if you are a victim of medical identity theft?
• Review of your Explanation of Benefits (EOB), noting that not all medical services were actually provided to you.
• Receipt of a letter from a collection agency claiming that you have unpaid medical bills.
• Receipt of a fraudulent tax return which claims a medical deduction for services you did not receive.
• Review of your credit reports which show delinquent medical bills that have been reported to the credit reporting agencies.
• Review of your medical records which contain misinformation caused by human error or identity theft.
• If you are a victim of Medical identity theft and/or fraud, file a police report in your place of residence and obtain a copy of the report.
Note: According to the Ponemon Institute study, a review of the EOB is one of the best ways to determine if you are a victim of medical identity theft.
• You are entitled to know what is in your medical records. Request copies of your medical records from any health care provider. If the provider denies you access to your medical records after 30 days of your written request, you have the right to file a complaint with the Office for Civil Rights in the U.S. Department of Health and Human Services. (Note: HIPAA does not prohibit providers from charging a reasonable fee for copying records.)
• You may request an accounting of entities that your health care provider gave your medical data to and may contain the same errors that exist in the original health care provider’s medical records in your name. The original health care provider must notify the other providers of the mistakes in the records they sent.
• Obtain a free credit report: Only one website is authorized to fill orders for the free annual credit report you are entitled to under law — annualcreditreport.com.
• You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.
• Department of Health & Human Services Office Of Inspector General Hotline
Report suspected Medicare fraud:
Phone: 1-800-447-8477 (1-800-HHS-TIPS)
TTY #: 1-800-377-4950
Fax #: 1-800-223-8164
• Medicare Call Center and Medicare Patrols
Report questionable charges to Medicare:
Phone: 1-800-633-4227 (1-800-MEDICARE)
TTY #: 1-877-486-2048
• Federal Trade Commission's Identity Theft Hotline
Report misuse of your personal information:
Phone: 1-877-438-4338 (1-877-ID-THEFT)
TTY #: 1-866-653-4261