NursingLink

Identity thieves prey on patients' medical records

Doctors’ offices, clinics and hospitals are a fruitful hunting ground for identity thieves, who are using increasingly sophisticated methods to steal patient information, lawyers and privacy experts say.

Recent disclosures that hospital workers snooped into the medical files of Maria Shriver, Britney Spears and George Clooney highlight the vulnerability of patients to the merely curious and the criminal.

Legal experts say lawbreakers use medical information to get credit card numbers, drain bank accounts or falsely bill Medicare and other insurers.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, says attention on identity theft has focused on how easily criminals can get financial records. “Now we’re moving into an era where many of those same problems occur with medical records,” he says.

Hospitals and other medical settings often encrypt data and take other steps to protect privacy, but “people are acting with increasing sophistication to steal information,” says Stuart Gerson, a Washington, D.C.-based attorney who represents health care firms.

Those intent on crime “attempt to gain the assistance of insiders” and use new techniques to capture data from files, even those that are encrypted, he says.

Pam Dixon, executive director of the World Privacy Forum, an advocacy group, says “sophisticated crime rings” often can make more money by stealing medical identities than by going after individuals’ bank accounts or credit cards. “If you steal someone’s medical identity, then multiply that by 100 or 1,000” other thefts “and do fake billings, you can make hundreds of thousands, if not millions, of dollars,” Dixon says.

In Florida last year, a front-desk coordinator at the Cleveland Clinic was convicted of identity theft, computer fraud and other charges after downloading patient information and selling it to a cousin, who submitted more than $2.5 million in phony bills to Medicare.

In April, a former New York-Presbyterian Hospital employee was arrested for participating in an identity theft scheme in which he allegedly accessed nearly 50,000 patient records over two years.

False information from fake billings can end up in patients’ medical files — and creditors might seek payment from the patients. Until the creditors call, patients might not know their medical information has been accessed.

In a recent survey of 263 health care providers, 13% said their facility had experienced a data breach. Of those, 56% said they notified the patients involved, according to the survey by HIMSS Analytics, a non-profit data analysis firm, and Kroll Fraud Solutions, which offers security-related services.

In January, California began requiring that consumers receive notice when their medical information is improperly accessed. It is only the second state, besides Arkansas, to do so, Dixon says.

Similar legislation, written by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., is being debated in Congress.

---