A receptionist in a California physician's office is accused of stealing a patient's Social Security number and other personal information from the patient's medical record. The receptionist opened credit card accounts in the patient's name, authorities say.
The victim, Tracey Thomas of Berkeley, Calif., is so angry over her resulting yearlong financial problems that she says she's considering suing the receptionist, who has been arrested and charged with the crime. She also may sue her physician for hiring the receptionist, who had a prior conviction for a similar crime, and her health insurance company, for requiring that her Social Security number be used as her patient identifier, which she considers the root of the problem.
Thomas became aware that she was a victim of identity theft when a credit card company called her in March 2000 to verify that she had applied for a card; they questioned the application because the address used was not the one they had on record. But by the time the company contacted Thomas, there were already six fraudulent credit accounts with more than $5,000 in charges in her name. "My credit was so destroyed, I had to delay buying a house for a solid year," Thomas says.
It may turn out that Thomas' identity was stolen through her medical record at a hospital emergency room, where the receptionist also worked. But workplace identity theft is a fact of life for all businesses entrusted with personal client information. And medical offices, with sensitive personal information in patient files, need to be particularly careful.
This story is just one example of identity theft, a practice that appears to be on the rise. "Our own handling of complaints has grown substantially, and we expect that trend to continue," says Betsy Broder, assistant director for planning and information for the Federal Trade Commission.
The FTC keeps a national database of identity theft cases. Its toll-free hot line for victims logged an average of 400 calls a week in March 2000. Today it logs more than 2,000 calls a week, a 400% increase. According to the Privacy Rights Clearinghouse, a not-for-profit consumer information and advocacy program, there were an estimated 500,000 new victims last year.
"We consider identity theft to be of epidemic proportions," says Beth Givens, director of the clearinghouse. "It is one of the fastest growing white-collar crimes of our time."
When it comes to patient privacy, most medical executives are concerned with privacy regulations for the Health Insurance Portability and Accountability Act. And although HIPAA privacy regulations don't address identity theft, a heightened awareness of the crime and the importance of protecting personal information couldn't come at a better time.
In its most basic form, identity theft occurs when a person fraudulently uses someone else's personal information, usually a Social Security number, to open credit accounts in the victim's name. In many instances, a thief gets information when someone loses a wallet, which typically contains all that is needed to open new accounts. For example, Social Security numbers can appear on driver's licenses and health plan, student, employer and military identification cards.
Physicians need to be aware of the crime as both business owners and individuals. As high-income earners, they could be targets for identity theft themselves. In its more extreme and rarer form, identity theft can involve someone completely taking on another person's identity--criminals who impersonate physicians and fraudulently practice medicine.
As managers and business owners, physicians need to be careful whom they hire and how they handle patient and employee information, experts say. Medical and personnel records, more so than wallets, usually contain everything a thief needs to open credit accounts. A dishonest employee could leave an employer liable "if they were negligent in the way they hired the person or handled information," says the FTC's Broder.
To reduce your risks, consider these tips from the Privacy Rights Clearinghouse:
- Adhere to those practices, such as proper document disposal (shredding).
- Conduct regular staff training, new employee orientations and spot checks on proper information care.
- Put limits on data collection to minimize information needed. For example, is the patient's Social Security number really required?
- Put limits on data disclosure. For example, must an employee's Social Security number be on paychecks, parking permits, staff badges or time sheets?
- Restrict data access to staff with a legitimate need to know; have electronic audit trails and strict penalties for browsing and illegitimate access.
- Conduct background checks on potential employees.
"Have an audit trail," Frank says. "Are you locking cabinets? Can they be broken into easily? Those are the kinds of things you need to think about in your information handling practices."
Although no actual statistics exist for how often criminals fraudulently use personal information from medical records, Thomas' case is by no means unique.
According to Nicole Robinson of Oxon Hill, Md., an employee of a business that did work for her HMO obtained her Social Security number and birth date from her HMO file and went on to fraudulently open credit cards in her name, racking up at least $36,000 worth of merchandise. There has been no arrest in Robinson's case. She is considering suing not only the HMO, but the suspect's employer as well.
"We've talked to numerous victims who can trace their problems back to the doctor's office," says Givens. "That's because the Social Security number is almost always required, and that's usually for insurance reasons. Unfortunately, when dishonest employees get hold of Social Security numbers and other identifying information . . . that's all they need to commit identity theft."
Identity theft doesn't appear to be on the radar screens of any of the major physician organizations. If it's thought of at all, it's primarily in relation to the relatively small number of physicians who are impersonated each year.
However, there is a push nationally to limit the use of Social Security numbers as identifers, which Thomas and privacy experts say is a major contributor to identity theft. In a move in that direction, most states no longer require Social Security numbers on driver's licenses; some colleges are taking them off student IDs.
It is difficult to say when or if the use of Social Security numbers as patient identifiers will decrease. One of HIPAA's mandates, for example, is to develop unique identifiers that would be used by a patient throughout the healthcare system. However, work in this area has been put on hold indefinitely by Congress.
Legislators have addressed the issue but have not gained much ground. A bill introduced by California state Sen. Debra Bowen last year would have required health insurers to stop using Social Security numbers on ID cards. The bill was killed in committee; Bowen reintroduced the bill this year.
Cases of con men impersonating physicians and actually practicing medicine do exist, which is another aspect of the identity theft problem. However, considering all the physicians in the country, the number impersonated "is a very small percentage or number, we believe," says Dale Austin, deputy executive vice president and chief operating officer of the Federation of State Medical Boards.
Be careful but don't get paranoid, experts say. The majority of identity theft cases are opportunistic, such as a thief finding a Social Security number while rifling through someone's trash, Givens says. Only a small number of victims are actually targeted. "You just don't want to make it easy for identity thieves," she says.
Sandy Moretz is an Atlanta-based freelance writer.
Protecting your personal informationPrivacy experts recommend these steps to protect your identity, as a consumer and as a physician:
- Regularly check your credit reports with the three big credit agencies.
- Shred or destroy credit and other personal information.
- Do not use your Social Security number when it is not necessary, such as on prescription pads or billing statements.
- Do not carry your Social Security card in your wallet.
- Put outgoing mail in a secure postal box, not in a home mailbox or unlocked office mailbox.
- Be careful what information you provide online.
- Think twice about what information you give to professional directories.