Alexis Moore got a surprise a few years ago when she went to the doctor, and it had nothing to do with her physical health. "I needed a CT scan of my head and sinus, and when I handed them my insurance card, they told me I had no coverage," she recalls.
Her identity had been stolen. The addresses on her credit card and bank accounts had been changed without her authorization, and her health and auto insurance had been canceled. "I spent over 100 hours on the phone in one month trying to get help from the insurance company and to find out what was going on," says Moore. Meanwhile insurance payments were delayed, or radiologists, pharmacies and doctor's office got letters saying she had no coverage.
"I was not only humiliated, I was having to advocate and plead with these providers to rebill my insurance and help me. Frustrated with having to rebill, they wouldn't and my medical bills skyrocketed," says Moore, who estimates the confusion over the bills cost her $10,000 to $20,000 out of pocket. But even higher, was the emotional cost of the more than two years it took to get her life back in order.
Her response to the ordeal puts it in perspective: Moore founded Survivors in Action, a national nonprofit advocacy group that supports victims of any crime.
Posing as You to Suck Your Benefits Dry
What happened to Moore was a less well-known type of identity theft called identity theft as abuse, but she's just one of an ever-growing number of victims of medical identity theft. According to a recent Ponemon Institute study, about 1.5 million Americans have suffered from medical identity theft, at a total cost of about $29 billion, or approximately $20,000 per person.
Medical identity theft begins when someone gains access to a victim's personal information, and fraudsters can rack up medical charges quickly, leaving insurance companies and Medicare on the hook, and victims owing co-pays for services they never received. Not only can this result in huge financial losses, but the co-mingling of two patients' information can lead to serious errors in records (blood types can change, allergies appear or disappear), misdiagnosis and fatalities.
It's not that hard for a medical identity thief to get started: Items can be taken out of your home or office that make it fairly easy for someone to pose as you and drain your medical benefits, warns John Sileo, author of Privacy Means Profit: Prevent Identity Theft and Secure You and Your Bottom Line. Then too, such data theft can also be an inside job.
"There is a case of a Boston psychiatrist and another of a receptionist in Cleveland who were stealing patient information. The Los Angeles police stated once that gang members were getting their wives and girlfriends jobs in pharmacies, medical and dental offices, with the goal of thieving patient information," says Levin. A major home health care ring in New Jersey was misusing patient information. And the risk goes beyond medical providers: Insurance agencies, government agencies, private sector human resource departments and outside consultants often retain digitized medical records to keep track of their clients and employees. In one high profile case in 2009, a hacker stole 8.3 million patient records and demanded a $10 million ransom, reports Adam Levin, co-founder of Identity Theft 911, a data breach management company.
"Paper medical records create serious privacy threats for patients," says Ryan Howard, CEO of Practice Fusion, which provides free electronic medical record systems to physicians. "They can be easily be lost or stolen, accessed inappropriately with no safeguards. Patient medical data is safer with electronic medical records than with paper charts. Period."
Then too, sometimes the perpetrator is someone close to the victim.
Emily, who declined to provide her last name, says she had no clue how her medical identity was stolen. "I only discovered it when I got a bill in the mail for an emergency room visit. I've never been to the ER in my life," she says.
You may be keenly aware of the need to safeguard your financial information: The same care is required of your medical records. Here are some steps to take to protect yourself.
Be savvy about how your information can be misused. Opportunities abound. An article in DarkReading talks about emerging social networking sites for people with medical conditions like PatientsLikeMe.com, DailyStrength.org and HealthyPlace.com, where people can post profiles similar to those on Facebook. Users are posting photos, hometowns and personal health information -- information that in the wrong hands can be abused. Don't provide your insurance information to anyone over the phone or Internet unless you are absolutely positive that the person with whom you are communicating is legitimate.
"Scam artists posing as insurance companies, doctor's offices or pharmacies may contact you and sound legitimate, but the best course of action is to never give your information out unless you are absolutely convinced it is legitimate. Be skeptical," says Steve Weisman, a professor at Bentley University and author of The Truth About Avoiding Scams.
Review medical bills closely. Medical bills and insurance statements may contain important signs that you are a victim of medical identity theft. Check the itemized costs. If something look suspicious, investigate by calling right away, advises Levin.
Check your medical records. You check your credit report, and you should do the same with your medical records. Always review your Explanation of Benefits. If you find activity that appears to be incorrect, call your insurer and your medical provider. Also obtain, once a year, a "benefits request" from your insurance company. This is a list of benefits paid for in your name by the health insurance. Follow up with the insurer if you find anything suspicious, advises Jeremy Miller, director of operations at Kroll Fraud Solutions. If you receive a collections notice for medical services or equipment that you never received, call your medical services provider.
Ask questions. You're the customer here. Be informed and understand what slice of your information and identity is secured. Ask your doctors if they do ePrescribing, whether they store your information electronically, and if they do, how is it protected? And if they are still using paper, how is that information disposed? These are just some of the questions you should ask, says Dave Miller of Covisint, a company that provides health care IT services.
Speak up. You can request that your health care company use an identification number other than your social security number. "The provider has to comply with your request, since according to the Social Security Administration rules, only the SSA and the IRS can require you to use your true SSN," says Jon Heimerl, director of strategic security at Solutionary, an information security company. Just be aware that using an "alternate ID" can extend claim processing by months, Heimerl warns. Decide if it's worth it for your peace of mind.
Sign with care. Don't automatically sign anything. Read the HIPAA forms in full. You're signing away your rights to privacy -- essentially, enabling the doctor to share your information with whomever she wants. Know where your data will be stored and how it may be shared. "If you don't like it, tell your doctor your concerns before signing it," says Dave Miller. You can also request that your health care providers send you a HIPAA Accounting of Disclosure, which is a list of entities that have received your health care information for uses unrelated to treatment and payment. A disclosure is available to you every 12 months, and it's free.
Know your rights. If you are a victim of medical identity theft, you have a right to get a copy of your records from any of your medical care providers. Get those records and review them. Federal law provides you with the right to have your records amended to remove inaccurate information, says Weisman. This is particularly important because information in your medical report that reflects the condition of someone else could effect your own medical care.
Also, request an accounting of disclosures so you know everyone who has received a copy of your medical records. This way, you can identify who has received the compromised records and contact them to correct their records. You should also file a police report and put a freeze on your credit report, adds Weisman. He also recommends checking out the Identity Theft Resource Center, which offers information on medical identity theft.
"This is just the early stages of becoming a problem," warns Sileo. "It will continue to increase exponentially over the coming years."