The Rise of Medical Identity Theft
When thieves take your personal data to get prescription drugs, doctor care, or surgery, it can endanger your health and trash your finances
By Michelle Andrews
August 25, 2016
It began like an ordinary purse snatching. The credit card reader on the gas pump at her Houston neighborhood station wasn’t working, so Deborah Ford went inside to pay. By the time she returned to the car, her purse and wallet were gone. Ford filed a police report, canceled credit cards, and requested a new driver’s license and health insurance card. She checked with the bank several times to be sure nothing was funny, then forgot about it.
Two years later, the retired postal worker received an unsettling call from a bail bondsman; she was about to be arrested for acquiring more than 1,700 prescription opioid painkiller pills through area pharmacies.
“I had my mug shot taken, my fingerprints taken,” she says. Ford suffers from psoriasis, and she was so stressed that she broke out in the signature rash. “The policemen looked at my hands and said, ‘That’s what drug users’ hands look like.’ They just assumed I was guilty.”
Later, a judge dismissed the charges. “What saved me from going to jail was that I had filed that police report,” Ford says.
Turns out the thief altered Ford’s driver’s license and used that and her stolen health insurance card to go to doctors to seek prescription painkillers. Eventually, Ford says, a pharmacist became suspicious and called police.
“Boy, the thieves messed me up,” Ford says now of her lengthy and expensive ordeal, which began with the theft in 2008 and didn’t end until she got her name cleared of the arrest record last year. “Once they’ve got your identity, they’ve got you,” she says.
Inside Medical Identity Theft
Ford’s story is but one glimpse of what medical identity theft can look like these days and why it has become a fast-growing strain of identity theft, with an estimated 2.3 million cases identified in 2014, a number that’s up almost 22 percent from the year before.
Your personal health insurance information, including your Social Security number, address, and email address, is valuable and vulnerable. When it gets into the wrong hands it can be used to steal expensive medical services—even surgeries—and prescription drugs or to procure medical devices or equipment such as wheelchairs.
Your medical identity is a commodity that can be hijacked and used to falsify insurance claims or to fraudulently acquire government benefits such as Medicare or Medicaid. Your personal medical information may also be sold on the black market, where it can be used to create entirely new medical identities based on your data.
And more often than you might imagine, people outright share their own medical coverage with an uninsured friend or family member in need of care, which is against the law. (More on that later.)
Because current consumer protections aren’t specifically designed for medical identity theft, experts warn, people need to understand that they may have to take on extensive work to clear up fraudulent bills. Some frustrated victims of medical identity theft simply give up and pay the bills themselves.
But there’s another, far more dangerous problem with medical identity theft: The thief’s own medical treatment, history, and diagnoses can get mixed up with your own electronic health records—potentially tainting and complicating your care for years to come. And that isn’t a hypothetical problem.
“About 20 percent of victims have told us that they got the wrong diagnosis or treatment, or that their care was delayed because there was confusion about what was true in their records due to the identity theft,” says Ann Patterson, a senior vice president of the Medical Identity Fraud Alliance (MIFA), a group of several dozen healthcare organizations and businesses working to reduce the crime and its negative effects.
Havoc in Victims' Lives
The long tail on medical identity theft can create havoc in victims’ lives. Take Anndorie Cromar’s experience. A pregnant woman reportedly used Cromar’s medical identity to pay for maternity care at a nearby hospital in Utah.
Soon, officials from child protective services assumed the infant—born with drugs in her system—was Cromar’s baby, and Cromar says the state, not realizing her medical identity had been hijacked, threatened to take her own four children away.
A DNA test she took helped to get her name off of the infant’s birth certificate, she says, but it took years to get her medical records corrected.
“That first stage was the most terrifying thing I’ve ever experienced in my life, getting the call from CPS and having them say, ‘We are coming to take your kids,’ ” Cromar told Consumer Reports.
An Insidious Kind of Fraud
Financial identity theft is nothing new: Perhaps you or someone you know has had to deal with undoing the mess that happens when someone illegally obtains your personal financial information and uses it to drain your bank account or rack up charges on credit cards fraudulently taken out in your name.
Setting credit accounts back to normal can be a hassle, but your money is, for the most part, protected under the Fair Credit Billing Act. You’re liable for only $50, at most, of unauthorized charges on a credit cardif you follow simple notification steps. And there are defined reimbursement rules if money is illegally withdrawn with a stolen ATM or debit card.
But when consumers become victims of medical identity fraud, stopping the damage and clearing up the bills is much more difficult and time consuming.
Deborah Ford had to quickly figure out what had been done in her name and try to undo the damage. She got on the phone and wrote letters and even tried to track down doctors the criminal had used. “All I have is my name, my integrity,” she says.
Investigators later told her that the thieves were savvy at knowing the system, always waiting 45 days between trips to the same pharmacy to avoid being identified by store video. “They were so slick about it,” Ford says. ‘To this day, I don’t know who they were. But they were slick, that’s for sure.”
Spotting It, Preventing it
Experts say detecting the fraud in the first place can be the most difficult part. “Medical identify theft and fraud is much harder to spot than financial fraud,” says Michelle De Mooy, acting director of the Privacy & Data Project at the nonprofit Center for Democracy & Technology. “The bank calls you if they see charges in the system that raise an alarm. This kind of fraud is much easier to hide for a longer time.”
That’s why consumers need to be especially smart and careful about how and when they share their personal, medical, and insurance information.
Here are a few basic ways you can safeguard your medical privacy and identity: Read those explanation of benefits letters as if they were bank statements. Carefully check all of the correspondence you receive from health insurers and healthcare providers for accuracy and for bills of service that you don’t recognize. Also review your credit reports for unfamiliar debts. Be stingy with your personal health information, Social Security card, and insurance cards. If someone asks for them, inquire whether it is really necessary.
And don’t post news of an upcoming surgery on Facebook or other social media outlets, Patterson recommends. You can’t really be sure who might see it. Consider, for example, that a criminal could scoop up the notice of your impending hip replacement and add it to other information he or she can easily find about you online, creating a more robust, more exploitable personal profile. As Eva Velasquez, president and CEO of the ITRC, says, “Our rule of thumb is if it’s not something you’d want plastered on a billboard, don’t post it. Because essentially every single thing you post has that potential.”
All in the Family
Ronnie Bogle, a museum supervisor from San Jose, Calif., says that for more than a decade, he had no idea that his brother Gary had been stealing his identity to secure healthcare across several states.
Gary had a simple routine, Ronnie says: He would move to a new town or city, purchase a picture ID, then present the ID—along with Ronnie’s Social Security number—to get treatment, often at hospitals. Gary often claimed to be uninsured when he sought care. After he was treated, the bills were later sent to his given address, not Ronnie’s.
Ronnie told Consumer Reports that he only learned what Gary was up to in 2010 after applying for a new credit card and being turned down. He says his credit report contained listing after listing of unpaid debt—for his brother’s hospital visits and treatments over the years.
Eventually, Gary was arrested and pleaded guilty to 10 counts of criminal impersonation in California. He’s facing more charges in Washington state for allegedly stealing his brother’s identity there.
It has taken two years for Ronnie Bogle to straighten out his credit and get his brother’s medical bills off his financial record. “He destroyed my credit history multiple times,” Ronnie says.
So-Called Friendly Fraud
Sometimes victims of medical identity theft know exactly how the crime occurred, but for others it remains a mystery.
The Ponemon Institute, a private cybersecurity research firm, surveyed 1,005 people whose medical identity was “most likely” assumed by someone else. In the study, published last year, 10 percent of victims said their event was the result of a healthcare provider or insurer data breach, and an additional 12 percent believe they were tricked into giving up personal information via a fake email or phony website.
But 47 percent of respondents said that their identity theft was perpetrated by a relative or someone else they knew. Twenty-four percent said they had a situation like Bogle’s, where a relative stole their identity without their knowledge or consent. And surprisingly, an additional 23 percent of respondents said they willingly shared their credentials with someone they knew. That’s why the crime sometimes is referred to as “friendly fraud.”
Of those who said they shared healthcare credentials in that way, 91 percent reported that it was because the other person had no health insurance and 86 percent said it was because the other person couldn’t afford medical treatment. Sixty-five percent said it was done in an emergency.
Most of the people who voluntarily let someone they know use their medical information said they didn’t consider their actions wrong or criminal.
“They think of it as a Robin Hood crime—that no one is getting hurt and that if a family member is ill, they can help them,” says Larry Ponemon, chairman of the Ponemon Institute.
“Those in our studies who did recognize it as a crime saw it as minor, like driving 5 miles above the speed limit. They don’t recognize the cost burden to insurance companies or healthcare providers, or that it ultimately ends up in the lap of consumers.”
Knowingly allowing a friend or relative to use your medical insurance is illegal, an act of fraud against insurance companies and health providers. And wrongfully sharing Medicare or Medicaid benefits is a crime against the federal government and state programs.
Pinpointing how much money fraud costs the medical industry each year is difficult. One estimate from 2012 put the total economic impact of medical identity theft in the U.S. at $41.3 billion.
Providers are working on new strategies to prevent it. They’re using software to detect fraud in billing, training staff and consumers to recognize warning signs and asking for photo IDs, explains James Quiggle of the Coalition Against Insurance Fraud. He says consumers can expect to see more extensive verification screening in the future, such as the use of fingerprints or palm prints. And soon Medicare cards will no longer bear Social Security numbers.
A Dramatic Rise in the Crime
As recently as six years ago, your medical information was kept in paper files, but now it has a more robust virtual life—in electronic health records and in details you share online. All of that can increase the likelihood that the wrong people could gain access to your data.
“Now there’s electronic data traveling through all kinds of devices and networks, and it’s much harder to lock it down,” Patterson says.
Big data breaches in the medical care industry have been on the rise over the past decade, including the hack of health insurer Anthem in 2015, when about 70 million of its records were reportedly stolen. And yet it’s still unclear how often medical identity fraud stems from those kinds of hacks, Patterson explains.
Most at Risk for Medical Identity Theft
What industry analysts do know is that some people are more likely to become targets, including people on Medicare. “That Social Security number on the card is a gateway, not just to medical fraud but to all kinds of fraud,” Patterson notes.
Older adults might also be more susceptible to scams because they tend to be less circumspect about giving up personal health information, she adds. Children’s health records are aggressively pursued by criminals, it turns out, because a minor’s credit report—which would list unpaid debts—isn’t usually seen by parents until a child is old enough to secure credit in his or her name.
Also particularly vulnerable to medical identity theft, says Pam Dixon, executive director of the nonprofit World Privacy Forum, are new mothers, surgery patients, and people with chronic conditions such as diabetes or serious illnesses such as cancer. That’s because the more interaction you have with the healthcare system, the more opportunity for records to be breached.
Anyone who casually puts a lot of personal information on social media sites and apps, such as millennials, might attract medical identity thieves, too. Criminals, Patterson explains, are “very good at aggregating social media information and pairing it with health and other data they’ve gotten, like dates of birth and addresses.”
The Chaos in Care
The effects of medical identity theft can be far-reaching, costing victims time, money, and aggravation. A 2016 report from Javelin Strategy & Research found that, on average, identity fraud victims spent only $55 out of pocket to resolve financial account problems in 2015.
But 65 percent of the medical identity theft victims surveyed by Ponemon said they spent an average of $13,500 to pay the healthcare bills run up in their name, to recover their health insurance, and to pay lawyer’s fees, among other things. Ponemon also found that it took an average of more than three months for victims to even detect the fraud and more than 200 hours to undo the mess.
Mary Levine of Lake Charles, Louisiana, says she has been logging time on the telephone with the police, hospitals, doctors, and Medicaid almost every day since she learned in mid-June that someone had racked up some $20,000 in fraudulent medical bills using her identity. Although Levine is working closely with the nonprofit ITRC and her local sheriff's department, the bills continue to arrive, and her worries are mounting.
"I keep telling the hospital that I've never been there," says Levine. "I've been calling nonstop. They just say they have not clarified anything at all and they'll call me whenever they make a decision."
There’s much more to do to safeguard consumers from medical identity theft, experts say, including creating a defined process for resolving medical and financial problems.
But, says Orly Avitzur, M.D., M.B.A., Consumer Reports’ medical director, one thing that healthcare experts don’t want is to completely lock up our medical data. “It’s important for doctors to be able to share your health needs, diagnoses, and treatment information with each other, and to do so quickly in the event of an emergency,” she says.
Deborah Ford’s encounter with medical identity theft may have been extreme, but the way she handled it was impressive. Once she found out about the fraud, she got on it—alerting every entity involved— and stayed on it until it was over.
“They never used my credit card or checking account; I checked. But lo and behold, they did more than that. They got what they wanted—my insurance information,” she says.
Still, it cost her $1,500 in fees and took five more years to expunge the drug arrest. On that day, Ford says, “I got my name back.”