A Colorado man whose name, social security number and address were stolen was billed $44,000 by a hospital for a surgical procedure he never had. Two years later, he's still working to clear his name and credit rating.
In Boston, a psychologist made false entries to charts of people who were not his patients, sometimes diagnosing them with drug addiction or abuse, severe depression and other problems before submitting them - complete with personal information from each patient - to insurance companies for payment.
These two cases were included in a Spring 2006 World Privacy Forum report compiled by Pam Dixon, who concluded that anywhere between 300,000 and 3.25 million people have been affected by medical identity theft. Those numbers, in turn, prompted EpicTide, a St. Petersburg, Fla.-based vendor of IT security solutions, to commission a survey that measured people's comprehension of medical identity theft.
That survey, released Dec. 12, contained some disturbing news.
Conducted last November by independent research firm the Benchmarking Company, the survey polled 500,000 consumers on 23 questions relating to medical identity theft and received 507 responses. Among the most surprising results, said EpicTide CEO Kurt Long, was the number of respondents (2.7 percent) indicating they had been victims of medical identity theft.
"This is a phenomenon that appears to be happening more frequently," he said.
Part of the problem, Long says, is that people don't know what medical identity theft is or they don't care much about it. According to the survey, 47.7 percent had never even heard the term before, while only 52 percent agreed that "allowing a family member to use your insurance card to receive medical care," is an example of medical identity theft.
He believes medical identity theft isn't being taken seriously enough, even though "it's the first information crime that could actually jeopardize your life." Part of the problem, he says, is that most people affected by this crime don't even know who targeted them, making it difficult to seek any sort of retribution.
Long is suggesting a broad-based response that includes laws allowing victims of medical identity theft better access to their medical records, a coordinated effort by law enforcement to investigate and prosecute instances of theft, and more effort by healthcare IT companies and insurance firms to identify and prevent such instances.
New advances in IT are outpacing security procedures, Long added, and companies are leaving themselves open to theft issues in the name of transparency.
That point was brought up by Dixon in her WPF report, when she questioned the viability of a National Health Information Network (NHIN).
"Currently, the mantra is that digitization of private records will improve health care, reduce fraud, reduce medical errors, and save lives," she wrote. "But this does not account for the challenging reality of medical identity theft and the substantial problems it can introduce into such a system."
"The point is, can we really, truly know how the system is being used?" asks Long.
He outlined the need for better understanding on the part of patients, as shown in the survey's results. For example, 88 percent of respondents who were asked to sign a notice of their HIPAA rights at a doctor's office, hospital, pharmacy or medical organization, said they understood their patient rights - and yet when asked true or false questions, 35 percent of the answers were incorrect.
Finally, the survey points to a certain degree of skepticism or distrust. Only 40 percent of the respondents say they felt their healthcare providers could protect their medical records, while barely half of those who responded felt healthcare providers know when someone illegally accesses medical records. And only 30 percent feel hospitals are diligent about informing potential victims of suspected breaches and unauthorized access to patient records.
"This is going to be a learning process," says Long.