Medical ID theft rises: Patient billed for impersonator's phony liposuction

Sierra Morgan was billed $12,000 on her health-care credit card in November for liposuction, a procedure she never requested or had.

"It's depressing to know that someone used my name and knows so much about me," said the 31-year-old respiratory therapist from Modesto, Calif.

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, according to Javelin Strategy & Research, a market research firm. The average fraud cost $12,100, Javelin said.

"A trend we've seen over the past few years is using stolen information to file false claims," said Louis Saccoccio, executive director of the Washington-based National Health Care Anti-Fraud Association, a non-profit research group.

Criminals set up fake clinics to bill for phony treatments, said Pam Dixon, founder of the World Privacy Forum, a non-profit consumer-research group based in San Diego, Calif., which has worked with more than 3,000 victims. Thieves also may impersonate a patient, like in Morgan's case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The digital files will improve care and help lower costs, the government said, without projecting savings.

Digital files"Once files are in electronic form, the crime scales up quickly," said Dixon, whose group analyzed a decade of consumer data from the Federal Trade Commission and medical identity theft cases from the Department of Justice."There are cases where someone has walked out with thousands and thousands of files on a thumb drive," she said. You can't do that with paper files."Patients' medical records are altered to reflect diseases or treatments they never had, which can be life threatening if they receive the wrong treatment or find their health insurance exhausted, Dixon said. A thief may change the billing address for a victim's insurance so they're unaware of charges, she said."Once you aggregate and put data in one place it's easier for you to see it but it's also easier for a criminal to see and use it," said Scott Mitic, chief executive officer of TrustedID, a consumer data-protection firm.Life flightBrandon Sharp, 38, found more than $100,000 of unpaid medical bills on his credit report when he went to buy a home. The charges included $19,501 for a life-flight helicopter trip and emergency room visits he never used, said Sharp, a project manager for an oil company in Houston, Texas. Medical identity theft is about 2.5 times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught. The average fraud involving health information was $12,100 compared with $4,841 for all identity crimes last year and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.No ID check"It's becoming the credit card with a $1 million limit," said Jennifer Leuer, general manager of ProtectMyId.com, an identity-protection service provided by Experian Plc, a Dublin-based credit reporting firm. "If the health insurance is valid, they'll treat you and not always check your ID."Insurers are improving technology to spot false claims, said Tom McGraw, a senior vice president at Ingenix, a subsidiary of Minnetonka, Minn.-based UnitedHealth Group Inc. The company can now track distances between providers and beneficiaries to identify if physicians are treating patients who don't live nearby, he said.Legislation passed last year requires doctors and hospitals to notify patients when their information has been exposed from a security breach, said Randy Sabett, co-chair of the Internet and data protection practice at Sonnenschein Nath Rosenthal LLP, based in the law firm's Washington office.National standardsNational standards should be established for fraud alerts on health care files, said Dixon of the World Privacy Forum.The Mayo Clinic uses electronic medical records and started adding patients' photographs to them in the past year for safety and security, said Greg Warner, director of the Office for Compliance for the Rochester, Minn.-based hospital. Eligible hospitals and physicians may begin receiving government payments for using approved digital records this year under Medicaid and next year under Medicare, according to the Baltimore-based Centers for Medicare Medicaid Services. About 44 percent of U.S. doctors used some form of electronic records last year, according to the National Center for Health Statistics.Request recordsPatients should request a copy of their medical files from their doctors after each visit, ask their insurer annually for a list of claims and watch their credit reports, according to the World Privacy Forum.Victims should file a police report and contact the Federal Trade Commission because it may help their case when asking a hospital or doctor to amend errors in files, Dixon said.Sierra Morgan contacted the police and worked with the health clinic in Sacramento to arrive when her impersonator had an appointment, she said."I wanted to catch her," Morgan said. "What nerve she had using my name to get liposuction."