Medical Identity Theft: Detection vs. Prevention

The ambulance tires crackled on broken glass, well before reaching the mangled car. The victim, an unconscious woman in her mid-twenties, was bleeding profusely. It was apparent that she would need immediate surgery upon arrival to the hospital. During transit, EMTs relayed information which allowed hospital staff to identify the victim as having visited the same hospital as a new patient six weeks prior, for an injury resulting in the partial loss of a finger on her left hand. When she arrived, staff quickly prepped her, and rushed her into surgery. Moments before the surgeon began work, an alert nurse noticed something odd. This woman had all of her fingers. They reacted quickly, kept her alive while they retested her blood type, and were able to save her.

Upon investigation, the hospital found a cyber breach in one of their satellite clinics had gone undetected for 3 months. The victim, a patient at the clinic, had not yet received anything in the mail regarding billing or insurance from the fraudulent hospital visit. The investigation also revealed a hacker had stolen the identities of hundreds of patients from the clinic and sold a series of false insurance cards to various people.

This is an example of a patient who could have had a significant adverse outcome because of medical identity theft. Medical identity theft involves the fraudulent use of another individual’s identifying information to procure medical services. This breach exposed the hospital to lawsuits, affected their reputation in the community, and left them open to higher scrutiny by regulators. On top of that, the insurance company that paid the fraudulent medical claims was seeking a refund of thousands of dollars.

The hospital had better-than-adequate cybersecurity, so no one thought they could be the target of a data breach. Could this medical identity theft incident have been detected earlier?

Patterns of Use
Hackers are actually close to the bottom of the list of suspects of medical identity theft. The most common perpetrators are employees and relatives or friends of the patient. All of these people have easy access to the confidential information needed to fraudulently secure medical care. Yet, many healthcare providers only detect medical identity theft when the fraud victim informs them of billing issues weeks or months after the fraudulent care has been given. This inefficient detection system creates exposure to catastrophic consequences, like the example above.

Early Detection of Medical Identity Theft

• Health records– Be alert to conflicting or unusual information in a patient’s health record. For example, the medical record is not consistent with the medical history or exam. Discuss discrepancies with the patient.
• Billing- A cyber breach may be suspected if there is a sudden surge in defaulted accounts. Investigate the potential for fraud prior to sending collection notices
• Complaints- Patients may dispute bills alleging that he/she never had the described visit or treatment. Assign a fraud specialist in the billing department to work closely with fraud claimants to help gather information and minimize risk.
• New Patients- Identity thieves must go someplace new in order to avoid being recognized. In addition, train staff to question and report any suspicions that a patient may not be who they are representing themselves to be.
• ID requirements –People buy fraudulent insurance cards, but generally not the full identity of the victim. Require positive photo proof of identity at patient check-in and strictly enforce the need for identification.
• Change of information-Be aware that identity thieves may change information such as addresses and phone numbers at the time of the visit to throw off billing and give them more time between the visit and detection. This may be a red flag.
• Patient education–Instruct patients to take an active role in early detection of their own identity theft by monitoring their medical bills, explanation of benefits and pharmacy information, and reporting any suspicious activity.

It is virtually impossible for a healthcare provider to adequately keep up with the ever-evolving tactics used by criminals. By establishing solid detection procedures, discovery of fraud is faster, the number of victims affected decreases, and the chances of catching the perpetrator increases. Contact PS&F’s Healthcare Practice Group for help to identify exposures and to work with you to create detection and prevention solutions.