Medical ID theft: Double danger for doctors

The sooner medical identity theft is discovered, the more likely damage can be minimized. Physicians, patients, insurers and the government all can help detect it.

By — Posted Aug. 6, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

When Anne Peters, MD, a Los Angeles-based internist, started receiving phone calls in 2006 from patients who were not hers about medical procedures she didn’t perform or even offer at her practice, she figured out pretty quickly that she had become a victim of medical identity theft.

When Dr. Peters sought advice on how to resolve the situation, she not only came up empty-handed, but she soon started feeling like a criminal herself. She was visited by federal agents, she received notices from the Internal Revenue Service regarding back taxes on $750,000 she never earned, and she was even detained once at the airport for more than an hour when she returned from a trip abroad. Meanwhile, Medicare stopped sending her payments for legitimate claims.

The worst part, she said, was that she couldn’t find anyone to help her figure out what went wrong or how to resolve it. What went wrong was that a sophisticated international crime ring had stolen her medical credentials, set up shop under her name and was illegally bilking Medicare out of hundreds of thousands of dollars.

Six years and countless headaches later, Dr. Peters finally got her name cleared. Because of her experience, Dr. Peters is in demand as a speaker on medical identity theft and helps raise awareness among her colleagues and among federal agents, who have developed programs to help physicians in similar situations.

Medical identity theft is very much on the radar of Medicare and other agencies responsible for investigating identity theft. In recent years, it has become the fastest-growing type of identity theft in the world, according to reports. An estimated 2 million people become victims of identity theft each year. And more than 5,300 physicians have listed themselves in a federal database that tracks medical identity theft. For physicians, the threat is a double whammy.

There are two types of medical ID theft: the kind that involves a patient’s identity being compromised; and the kind that involves the physician’s professional identifiers being stolen. Both could bring professional or financial harm to physicians.

Problems for physicians could go way beyond the threat of spending more than a year and many thousands of dollars clearing their names when their professional identities are compromised. (A February survey by Ponemon Institute, which studies computer security and identity theft issues, estimates that identity theft victims spend more than $22,000 clearing their names.)

Physicians also face repercussions when their patients’ identities are stolen. Patients report losing trust in their physicians after a medical ID theft has occurred. There is also the potential for medical errors and bad outcomes caused by two patients using the same identity. Physicians also potentially could be subjected to violations of the Health Insurance Portability and Accountability Act if they did not adequately protect the data from being stolen.

Identifying cases of medical ID theft early can help lessen the damage. And it’s easier than one might think to detect it. Many times, the clues are not well-hidden — it’s just that neither physician practices nor patients are connecting the dots.

Physician practices can work with patients, payers, employees and others to help prevent and detect medical ID theft. The biggest key to detection is education, said Shantanu Agrawal, MD, who serves as medical director for the Center for Program Integrity at the Centers for Medicare & Medicaid Services. Many people don’t even know what medical ID theft is, so educating patients on the problem and how to detect it is well worth a physician’s time, he said.

Warning signs for physicians

Dr. Peters’ story was highlighted in a Feb. 1 article in The Journal of the American Medical Association, by Dr. Agrawal and Peter Budetti, MD, JD, that was meant to educate physicians. Dr. Budetti is CMS deputy administrator and director of the agency’s Center for Program Integrity.

Dr. Agrawal said that when physicians receive calls such as the ones Dr. Peters received from patients she knew she never treated, that should be an immediate warning sign.

In addition to educating patients on the importance of reviewing Medicare summary notices and the explanation of benefits documents sent by private insurers, physicians also should review their own Medicare remittance notices to look for services they never performed, or payments they never received. Names that don’t look familiar can be signs that someone is practicing in his or her name, and Medicare should be contacted immediately.

Physicians also can do routine checks of Medicare’s Provider Enrollment, Chain and Ownership System. This will list the practices associated with a physician’s name. If a practice has been set up using the physician’s Medicare identifier, it will show up on that list.

Jeremy Miller, a director at Kroll Advisory Solutions, a security response and mitigation firm, said other warning signs include mailings or phone calls that make reference to corporation filings or businesses under a different name than the actual practice. Other clues are credit reports that show accounts a physician doesn’t recognize.

“Don’t just assume it’s a mistake,” Miller said. “The earlier you capture those kinds of things, the easier it is to get it untangled.”

Physicians also should be aware that many thefts start with employees in the practice, said Bill Fox, senior director of the health care division at LexisNexis Risk Solutions. Some employees have access to passwords or identifiers that could be used to establish a fraudulent practice in the physician’s name. And they have the ability to intercept evidence that the fraud is occurring.

Risks for patients

Even though a large percentage of medical ID thefts that involve a patient using someone else’s insurance credentials to receive care are “Robin Hood” crimes involving willing victims, the consequences still could be devastating to both patients and physicians.

Patients run the risk of receiving improper medical treatment because of someone else’s information being in the medical record and used by physicians to make a treatment decision. And physicians who miss obvious signs that a patient is not who the medical record indicates could be held liable for any harm that was done because of the oversight, said Larry Ponemon, PhD, chair and founder of the Ponemon Institute.

Just as EOB documents are a good way to detect physician medical ID theft, they are also a good way for patients to see whether someone is receiving services using their insurance benefits. But many patients toss these notices aside.

A survey by Harris Interactive conducted on behalf of Nationwide Insurance found that only half of U.S. adults have reviewed their medical records, and only 24% have ever checked for fraud within their records.

It’s well worth a physician’s time to educate patients on the importance of the EOB or Medicare summary notices and how to read them, Dr. Agrawal said.

Practice employees also are a good resource, as they are on the front lines, processing the paperwork of patients who may not be who they say they are. A checklist of things the front desk and physicians can do to thwart identity theft:

  • Ask for two pieces of identification. Jorge Rey, information security and compliance director for Kaufman Rossin & Co., an accounting firm in South Florida, said this simple request can be an easy way to sniff out criminals. If the patient has an insurance card but no photo ID, or if a second piece of identification is handed over and it looks fake, or the description doesn’t match the person, consider these as warning signs.
  • Ask for a referral source. Rey said simply asking new patients how they heard of the practice can prove beneficial. New patients are generally there because they were referred by another doctor or by a friend. Those referrals, especially ones from other doctors, can be used to establish the person’s identity, if needed.
  • Look for inconsistencies in the record. The advancement of health information exchanges will make these crimes harder to pull off, because physicians won’t need prior relationships with patients to know something about them. Having access to patient records from another facility can help physicians identify discrepancies such as dramatic changes in weight or height.

What to do if you suspect something

The first thing physicians should do about potential medical ID theft is to heed the warning signs. If physicians or patients suspect fraud, Dr. Agrawal said, they should call their insurer. Medicare has a toll-free number where potential cases can be reported, and all calls are taken very seriously, he said. Many times these calls result in a new investigation or add information to one in progress.

Similar steps should be taken if the patient is insured through a private plan. The Federal Trade Commission also investigates medical ID theft and has a hotline and website where complaints can be filed. A police report should also be filed, Dr. Agrawal said.

While Dr. Peters never asked nor wanted to become the poster child for medical identity theft, she has taken her role seriously. She uses every available opportunity to educate other physicians about the risks. She urges more focus on prevention.

Medical ID theft is much more complex than other types of financial or identity theft, Ponemon said.

If you lose your credit card, for example, you can call the bank and they will cancel your current card within seconds and send you a new card with a new number. Use of medical identification isn’t as simple to stop, Ponemon said.

“In the world of health care credentials, if you lose your wallet and your credential is gone and you contact your health [insurer], they may send you a card with the same number on it,” Ponemon said. “They don’t really have these anti-fraud procedures in place.”

The key is for health care organizations to have their own anti-fraud procedures and to be vigilant about using them, he said.

Back to top


Few patients can define medical ID theft

Patients can’t be expected to act as partners in detecting medical identity theft if they don’t know what it is. A recent survey of insured adults found that few patients know how to define medical ID theft properly. Even those familiar with the term “medical ID theft” were unlikely to define it correctly.

15% are familiar with the term “medical ID theft”

15% are able to define medical ID theft (of those familiar with the term)

19% think it would take less than two weeks to correct medical ID if stolen

22% believe the most likely consequence of medical ID theft is their insurance will be canceled

24% have checked medical records for fraud

32% think it’s likely that their medical identification will be stolen

56% think it’s likely their credit card or credit card number will be stolen

Source: “Medical ID Theft Study,” Nationwide Insurance, March


Back to top

The cost of medical ID theft

The Ponemon Institute surveyed 757 patient victims of medical ID theft to find out how the situations were resolved and the repercussions of the crimes. Often, physicians might be obliged to cover the cost of identity theft if it happened at their practice.

Average time to resolve: 12.1 months

Personal cost of resolving theft: $22,346 per victim

Those who lost trust in their health care organization as a result: 51%

Percentage who had medical records accessed: 20%

Percentage with private insurance: 44%

Percentage with Medicare: 21%

Percentage not insured: 20%

Source: “Third Annual National Study On Medical Identity Theft,” Ponemon Institute, June

Back to top

Where to go for help

There are several agencies, both government and private, that investigate and provide resources on medical identity theft.

For more information

  • World Privacy Forum (link)
  • Federal Trade Commission (link)
  • CMS Provider Victim Validation/Remediation Initiative (link)

To file a complaint

  • Federal Trade Commission: 1-877-IDTHEFT (438-4338)
  • Medicare: 1-800-MEDICARE (633-4227)
  • Office of the Inspector General: 1-800-HHS-TIPS (447-8477)

Back to top

External links

“Physician Medical Identity Theft,” The Journal of the American Medical Association, Feb. 1 (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn