Federal stats: Identity theft of medical records on rise

Identity theft of health records has become big business and a growing problem.

Reports of health-record identity thefts jumped 61.5 percent last year, federal statistics show.

Nationwide, 64,150 data breaches have occurred since October 2009, including 24,429 in 2012 alone, according to the Office for Civil Rights, part of the U.S. Department of Health and Human Services.

Of the 525 breaches reported and verified from October 2009 to December 2012 that involved more than 500 patients, 9.4 percent occurred in New York. Most of those were reported in 2010.

Health care providers are required to report breaches under the Health Insurance Portability and Accountability Act, or HIPAA, which protects patients' medical privacy.

Jim Romagnoli, vice president for protective services at North Shore-Long Island Jewish Health System, calls identity theft "the crime of this century."

"To a thief . . . he's better off stealing your identity," said Romagnoli, a former NYPD detective in charge of security for the health system. A thief "can steal so much more than by gunpoint."

'Threat is constantly there'

The risk of medical information being stolen has increased as health care providers, spurred by financial incentives as part of the federal health care overhaul, rely on increasingly sophisticated computer technology and make the transition to electronic medical records, officials and experts say.

"We're always mindful of the vulnerability. The threat is constantly there," said Janine Logan, spokeswoman for the Nassau-Suffolk Hospital Council. "Long Island hospitals have spent millions on controls to combat data breaches in all settings -- paper, electronic and spoken."

The North Shore-LIJ health system was sued for $50 million last month by 12 former patients who charged that the health system was negligent in allowing their medical information to be stolen.

In April, law enforcement officials revealed that an identity-theft ring had lifted "face sheets" -- the top sheet of a patient's medical file that contains personal information such as a Social Security number -- from more than 100 patients at North Shore University Hospital in Manhasset. So far, another 28 people have joined the class action suit.

The health system informed patients as soon as it learned about the breach and has initiated several changes, including removing some personal information from face sheets and requiring workers to log off their computers every time they walk away from them, Romagnoli said.

There are other indications identity theft from health care providers is on the rise.

In a report published in December, the Ponemon Institute, a privacy research firm based in Traverse City, Mich., and ID Experts, data breach consultants in Portland, Ore., found that 94 percent of the 80 health care organizations they surveyed had at least one data breach in the past two years. Forty-five percent had more than five in the same period. That's up from 29 percent two years ago.

More than half surveyed said they were not confident they could detect a data breach. And the money involved can be substantial -- the survey estimates that identity theft of health records cost the United States more than $40 billion in 2012, affecting 1.85 million people.

The toll on individuals is high. According to the federal Bureau of Justice Statistics, U.S. households lost about $13.3 billion because of all kinds of identity theft, including health records, in 2010, the latest statistics available. The average loss per household was about $2,200. Of the 1.8 million complaints to the Federal Trade Commission in 2011, 15 percent involved identity theft of all types.

Identity theft of medical records can be especially pernicious. In most cases, thieves use the health data to make financial mischief like the North Shore thefts that resulted in shopping sprees in three states. More troubling are cases of people being charged for procedures and tests they did not receive and having their medical files filled with the thief's medical history.

This so-called "medical identity theft" made up 1 percent of all identity theft complaints to the FTC in 2011. But Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group in San Diego, said this is the No. 1 issue her group deals with, generating hundreds of calls each year from people whose medical files have been corrupted by thieves' medical information.

"It has led to so much harm," she said. "Even when there is no [medical] mistreatment, it has caused countless hours of people trying to remove incorrect information from their file. There are serious legal hurdles in removing information from your file even when it's fraudulent."

That's because once a medical file includes another person's medical history, some hospitals argue it can't be turned over without consent of the impostor.

And for those who have found their personal information has been stolen, there's the worry that it will happen again.

Cost of thefts is highPaulette Schramm of Manhasset, a plaintiff in the suit against North Shore-LIJ, said she was a patient at North Shore University Hospital at the end of April 2011. Several weeks later she learned that close to $8,000 had been charged on her credit cards. "For the rest of my life, I have a monkey on my shoulders," she said.

Larry Ponemon, chairman of the Ponemon Institute, said he expected the number of identity thefts from health care providers to keep rising.

"Things will get worse before they get better," he said. "We see hacking as a daily event. It just seems that the ability to protect this information is not easy." As the protections become more sophisticated, "the hackers get smarter," he said.

Romagnoli agreed. "Once a safeguard is in place, the bad guys are trying to defeat it," he said. "It's a cat-and-mouse game."

Yet many of the breaches reported since 2009 are less sophisticated and involve stealing computer equipment, records show.

Not everyone believes that technology -- especially electronic medical records -- will increase the number of thefts. Maureen Gaffney, senior vice president and chief medical information officer at Winthrop-University Hospital in Mineola, said that electronic medical records allow "better surveillance" because there is an electronic trail. "We had no idea who opened paper charts," she said.

She attributes some breaches to organizations trying to go paperless too quickly.

Winthrop was an early adopter of health information technology and is among only 5 percent of hospitals nationally that the government has designated as having achieved the first stage of a three-part program that measures health information technology use and competence.

"Are we going to stop them all?" Gaffney said of identity thieves. "I don't know if that's possible, but we can make it harder and harder and put layers of protective shells around the system." She said Winthrop has had no breaches "but that's as of today. That could change."

Critics say that one obvious deterrent would be to take Social Security numbers off Medicare cards. The Government Accountability Office released a report last August calling for the federal Centers for Medicare & Medicaid Services to remove all or part of beneficiaries' Social Security numbers. A bill was passed in December in the House calling for their removal. The bill has been referred to the Senate Finance Committee.

At issue is cost. With more than 48 million Medicare recipients, the federal Medicare agency estimated that removing Social Security numbers would cost $803 million to $845 million.

But the GAO questioned those estimates and urged the agency to come up with a plan.

"Lack of action on this key initiative leaves Medicare beneficiaries exposed to the possibility of identity theft," the GAO report concluded.

Joe Baker, president of the nonprofit Medicare Rights Center in Manhattan, agreed.

"The reality is that it needs to happen regardless of the cost," he said.

Medical Identity Theft

How to detect it

-- Always read your medical and insurance statements.

-- Signs of medical identity theft can include: a bill for medical services you didn't receive; a call from a debt collector about a medical debt you don't owe; medical collection notices on your credit report that you don't recognize; a notice from your health plan saying you reached your benefit limit; a denial of insurance because your medical records show a condition you don't have.

How to correct it

-- Get copies of your medical records.

-- Contact each doctor, clinic, hospital, pharmacy, laboratory, health plan and location where a thief may have used your information. If a provider denies your request for your records, you have a right to appeal.

-- Ask each of your health plans and medical providers for a copy of the "accounting of disclosures" for your medical records. The accounting is a record of who got copies of your records from the provider.

-- Write to your health plan and medical providers and explain which information is not accurate. Send copies of the documents that support your position. Ask the provider to correct or delete each error. Keep the original documents.

Where to get more information

-- The Federal Trade Commission: ftc.gov or call the identity theft hotline: 1-877-ID-THEFT (1-877-438-4338), TTY 1-866-653-4261

-- World Privacy Forum: worldprivacyforum.org; email info2009@worldprivacyforum.org; or call 1-760-712-4281

-- Identity Theft Resource Center: idtheftcenter.org or call 1-888-400-5530

Sources: Federal Trade Commission; World Privacy Forum; Identity Theft Resource Center