[ISN] Diagnosis: Identity Theft

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 22:16:20 PST


BusinessWeek online
JANUARY 8, 2007

For $60, a thief can buy your health recordsand use them to get costly 
care. Guess who gets the bill

When Lind Weaver opened her mailbox one day in early 2004, she was 
surprised to find a bill from a local hospital for the amputation of her 
right foot. Surprised because the 57-year-old owner of a horse farm in 
Palm Coast, Fla., had never had worse than an ingrown toenail. After 
weeks of wrangling with the hospital's billing reps, Weaver finally 
stormed into the facility and kicked her heels up on the desk of the 
chief administrator. "Obviously, I have both of my feet," she told him.

Weaver eventually persuaded the hospital to drop the charges but in the 
process discovered that the mistake wasn't a simple billing error. 
Weaver's identity had been stolen by a fraudster who had used her 
personal informationher address, Social Security number, and even her 
insurance ID numberto have the expensive procedure performed. The 
nightmare didn't end there. When Weaver was hospitalized a year later 
for a hysterectomy, she realized the amputee's medical info was now 
mixed in with her own after a nurse reviewed her chart and said, "I see 
you have diabetes." (She doesn't.) With medical data expected to begin 
flowing more freely among health-care providers, Weaver now frets that 
if she is ever rushed to a hospital, she could receive improper carea 
transfusion with the wrong type of blood, for instance, or a medicine to 
which she's allergic. "I now live in fear that if something ever 
happened to me, I could get the wrong kind of medical treatment," she 

Weaver's experience isn't an isolated case. Medical identity theftin 
which fraudsters impersonate unsuspecting individuals to get costly care 
they couldn't otherwise affordis growing. Based on Federal Trade 
Commission surveys, Pam Dixon, executive director of the World Privacy 
Forum, a San Diego-based research group, estimates that more than 
250,000 Americans have had their medical information stolen and misused 
in recent years. And this isn't petty larceny. Experts note that while 
individuals who have had their credit-card data stolen are usually 
wrangling with their banks over losses of as little as a few thousand 
dollars, medical ID theft can leave victims, and the doctors and 
hospitals that provided the care, staring at bills that are 
exponentially higher.

Yet the thief isn't always an individual desperately needing medical 
care. In some instances, the perpetrator can be a doctor hoping to pad 
his or her income by filing fraudulent claims. Even worse, law 
enforcement authorities say that more and more frauds are being 
perpetrated by organized crime rings who steal dozens, and sometimes 
thousands, of medical records, as well as the billing codes for doctors. 
The rings then set up fake medical clinicsoffering free health 
screenings as a ruse to draw in patientsthat submit bogus bills to 
insurers, collect payments for a few months, and then disappear before 
the insurers realize they've been had. (Dixon notes that health records 
now fetch $50 to $60 each on the black market, vs. a mere 7 cents for 
stolen rsums.)

Last year, California authorities busted a ring in Milpitas that 
recruited patients from a local senior citizen center with offers of a 
free checkup and a case of Ensure nutritional supplement. In the three 
months before authorities raided the clinic, the ring had billed 
$900,000 for diagnostic tests it had never performed. "Yesterday's drug 
dealers are now working in today's health-care fraud," says John Askins, 
an investigator in Florida's state insurance fraud division. "It's more 
lucrative, and they don't face the same dangers they do in the narcotics 
trade." The penalties, if they're caught, are lower, too.

Health-care providers say the Bush Administration's initiative to push 
doctors and hospitals to convert their paper-based patient files into 
digital records should help reduce the number of medical ID frauds. "Our 
software has become more sophisticated, particularly in identifying 
spikes in usagesomeone who normally goes to the doctor once a year and 
suddenly goes 25 times in a 12-month period. It's a red flag," says 
Byron Hollis, national anti-fraud director for the Blue Cross Blue 
Shield Assn., a trade group for 39 health plans.

But some privacy advocates fear that the rush toward digital health 
records could ironically create new nightmares for victims of medical ID 
theft. Rather than residing in a single doctor's paper files, fraudulent 
informationsuch as the erroneous diabetes diagnosis in Lind Weaver's 
recordscould circulate in other medical databases across the country. 
Given that some medical ID thefts are "inside jobs," wherein rogue 
clerks sell patient data to fraudsters on the outside, privacy advocates 
believe that allowing data to flow more freely around a national network 
could make such thefts even easier. "We can expect [medical ID theft] to 
grow the more we move toward an electronic health-care system. It's 
going to be a disaster," says Dr. Deborah Peel, an Austin (Tex.) 
psychiatrist and founder of the Patient Privacy Rights Foundation.

Even worse, it can be difficult for patients to purge any fraud from 
their records. While the Fair Credit Reporting Act gives victims of 
financial identity theft the right to see and try to correct any 
mistakes in their credit records, critics say that victims of medical ID 
theft don't have the same recourse. Health privacy laws "are limited and 
don't reflect the possibility of medical ID theft," notes Robert 
Gellman, a leading privacy consultant in Washington. "Negative 
information could just bounce around the system forever."

For some victims, the pain is real. Take the case of Joe Ryan. In early 
2004, the 60-year-old owner of a Colorado sightseeing business (he flies 
passengers in a modern replica of a 1939 biplane) got a bill from a 
hospital outside Denver. The hospital was seeking $41,188 for surgery 
that Ryan says he hadn't had performed. Ryan called the hospital and, in 
time, realized that someone had stolen his personal information to pay 
for the surgery. Eventually, investigators traced the crime to a former 
clerk at a newspaper in which Ryan had placed an ad for his sightseeing 
business. "He asked for my Social Security number, and I now realize I 
shouldn't have given it to him," says Ryan.

When Ryan tried to correct his records, he discovered how difficult it 
can be for victims to clear their names. The hospital wouldn't let him 
see his own medical records when they determined that the signature on 
the driver's license Ryan handed them didn't match the signature that 
the perpetrator had used when he checked in. "They said I couldn't be 
Joe Ryan," he recalls. While the hospital eventually absorbed the loss, 
Ryan says he hasn't been able to completely erase the supposedly unpaid 
debt from his credit record. With his credit ruined, Ryan says he has 
had to pay a stiff interest ratesix points over the prime ratewhen he 
refinanced his plane, and his insurance company has jacked up his 
premium. "It has been like a glacier moving over me," he says. "I'm just 
screwed because I'm going to lose my airplane, my business, and my 
credit rating."

In other instances, the thief can be a patient's own doctor. Debra 
Herritt discovered that after she and her husband began seeing a Boston 
psychiatrist, Richard P. Skodnek, in the 1990s. After two years of 
therapy, Herritt began receiving statements from her insurer, Blue Cross 
& Blue Shield Assn. of Massachusetts, showing that Skodnek had billed 
Blue Cross for sessions the Herritts had already covered. What's more, 
Herrit learned that Skodnek had also billed her son and daughter for 
psychiatric sessions that Debra says never occurred. "My children had 
never laid eyes on him," she says. Fortunately for Herritt, the feds 
were already on Skodnek's trail for defrauding other patients, and in 
1996 the psychiatrist was convicted on 136 counts. Even then, Herritt 
says she spent the next couple of years trying to convince Blue Cross 
that her children had never been treated for depression. "It was an 
incredible invasion of their lives," Herritt says now. "I just pray this 
doesn't come back to haunt them somewhere down the road."


Law enforcement authorities complain that many health-care facilities do 
too little to protect their patient data. Case in point: In September, 
federal authorities arrested a scheduling clerk at the Cleveland 
Clinic's Weston (Fla.) hospital who allegedly had passed on the personal 
identification information of more than 1,100 patients to her cousinwho 
in turn submitted $2.8 million in false claims to Medicare. "Hospitals 
have done a poor job of implementing security procedures on their 
computer systems," says one federal investigator. "You'd be astonished 
how many people have access to your medical records." (Cleveland Clinic 
officials say they notified law enforcement officials when fraud was 
detected in June, and say they've since conducted an internal risk 
assessment to prevent such a problem in the future.)

In their defense, health-care executives say they've taken steps in 
recent years to deter identity thieves. Some hospitals, for instance, 
have begun reprogramming their computer systems to restrict staffers 
from accessing any patient data beyond what they need to do their jobs. 
And some have instituted procedures to ensure patients are who they 
claim to be.

Among them is the University of Connecticut Health Center in Farmington. 
After one patient impersonating a distant relative gained admittance and 
ran up more than $76,000 in bills in his cousin's name, hospital 
administrators two years ago began requiring anyone seeking treatment to 
produce a picture ID. "We've since had instances where patients say, I 
left my ID in the car,' then leave and never return," says Marie Whalen, 
the center's assistant vice-president for ambulatory services. And 
beginning next March, Whalen says the center will begin scanning these 
picture IDs into their files to help staffers confirm each patient's 
identity on subsequent visits. "Most people are fine with that," she 
says. Indeed, it may be a small price to pay to avoid ID theft.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 22:25:44 PST