There is little question in the minds of security experts that the healthcare industry already represents a ripe target for identity theft.
In July, the American Health Information Management Association released results of a survey of members, many of whom serve as healthcare privacy officers. It found the number of AHIMA members who believe their organization has achieved "significant compliance" with privacy rules linked to HIPAA dropped to 85% in 2006, down from 91% in 2005.
"The most recent stats indicated just a little bit of softening of compliance and security issues," says AHIMA President Jill Callahan Dennis. She says she hasn't heard a lot about an increase in medical identity theft, "but it has been the sort of thing that's been endemic for years. Someone somewhere gets a really malevolent idea to exploit information that they have access to. But boy, once the news reports get out there, it gives a whole new generation an idea that, hey, there is money here."
John Macaulay is a physician who is vice president for the healthcare and life sciences division at Anakam, a company specializing in providing identity authentication for banking and other industries. Last month, Macaulay testified before the confidentiality, privacy and security work group of the American Health Information Community, the HHS healthcare IT advisory panel established last year by HHS Secretary Mike Leavitt. Macaulay said the banking industry, which is targeted by more than 500 online attacks a day, provides a glimpse into the future of healthcare IT.
"We believe that as PHRs (personal health records) and EHRs (electronic health records) proliferate and users reach the tens of millions, fraudsters will set their sights on many of these healthcare sites, starting with those with the largest user bases coupled with the weakest defenses ... because that is where the money is."
According to Pam Dixon, executive director of the World Privacy Forum, that future is now. Dixon, who also testified before the AHIC privacy work group last month, said healthcare already is under attack, most commonly from healthcare workers of all stripes, including physicians, nurses, technicians and other trusted employees. Dixon said medical data has a street value today of $50 a record.
"Once you are an insider, you have the run of the chicken coop," Dixon testified.
The FTC's Kappler says the forum's report is credible, and Dixon is "the leading authority on this issue."
The report written by Dixon, Medical Identity Theft: The Information Crime That Can Kill You, uses the same narrow definition of medical identity theft as the FTC, noting that, "Unlike purely financial forms of identity theft, medical identity theft also may harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies and insurance companies."
Dixon said, "What happens if, heaven forbid, (the victim) gets rolled into that hospital unconscious?"
The transition from a paper-based healthcare record system to an electronic system is "inevitable," according to Dixon's report. But if the identity theft issue isn't addressed, current efforts to link isolated IT systems into an interoperable, electronic healthcare network will only make IT systems richer targets for thieves. And that, paradoxically, could make healthcare more dangerous for the patients, which could hamper IT adoption and expansion.
"Digitized information is much more portable and lends itself to rapid transmission," according to the report. "These are usually seen as benefits, but in the hands of an identity thief, these benefits may become liabilities."
Further, it said, if errors in medical charts and documents arising from medical identity theft are left uncorrected, "as they are by and large today," they could "percolate through a nationwide system."
"Without more attention, patients who have incorrect files in one city will find their same incorrect files available to all doctors and insurers that use the health network," the report said.
Dixon urged the AHIC work group to consider recommending to HHS that risk assessments become a routine part of healthcare IT projects, particularly large-scale ones like regional healthcare information organizations and the government's work on the national health information network.
When a fraud is finally discovered, the victim often is denied access or permission to correct his or her own medical records because of HIPAA privacy issues, Dixon says. The hospital that has been defrauded refuses to show the victim his or her own medical records because they've been commingled with the records of someone else.
Dixon said in the World Privacy Forum's report that HIPAA provides patients with a right to seek corrections in the healthcare records and most institutions will make changes when errors are spotted, but some will not. Under HIPAA, patients have the right to ask for an amendment to their medical records, but the provision does not apply to medical information not created by the provider or insurer. "This means that any medical information sent by one provider or insurer to another provider or insurer does not have to be corrected by the recipient of the information," the report said.
The reason for the HIPAA limitation -- that a third party may not have the knowledge to make a decision about the correctness of the information -- "provides no recognition of the problem faced by medical identity theft," according to the report.
One option: The government could look to the Fair Credit Reporting Act, which requires credit bureaus and other credit-reporting agencies to investigate victims' claims of inaccurate information and make changes as necessary, seeking to create a reasonable balance of interests. HIPAA, in contrast, "essentially washes its hand(s) of the problem with an overly broad exemption," the report said.
In 2003, California implemented pioneering legislation in requiring governments, companies and not-for-profit corporations with computer databases containing personal information to report privacy and security breaches to affected parties. Since then, more than 30 states have passed notification laws, although several have exempted healthcare from the reporting requirement.
The new laws, coupled with the increased use of healthcare IT, have made tales of horrendous healthcare privacy breaches commonplace on front pages across the country.
So far this year, more than 230 breaches of computer systems containing millions of records have been publicly reported, according to an online list kept by the not-for-profit Privacy Rights Clearinghouse, at privacyrights.org. At least 45 of those incidents involved healthcare records or healthcare organizations, including insurance carriers, hospitals, physician offices and government agencies. No information was available on the financial impact these disclosures had on the victims or the organizations.
Susan Loitz is an assistant U.S. attorney in the Western District of Washington state and the lead prosecutor against Richard Gibson, the Seattle Cancer Care Alliance employee who became the first person convicted of a criminal violation of the HIPAA privacy law. Gibson pleaded guilty in August 2004 to using information to obtain four credit cards and make more than $9,000 in purchases as the patient, Eric Drew. Gibson was sentenced later that year to 16 months in prison.
Loitz says healthcare identity theft has the potential for creating a greater level of victim anxiety than would the theft from a bank or other business.
"If someone who steals someone's identity is getting treated for a psychiatric problem or a drug problem, and it is attached to the wrong person, it might cause them not to get a security clearance or lose insurance coverage for pre-existing conditions," she says.
Drew also warns about the scope of the problem: "Everybody sees identity theft as these little teeny, petty crimes," he says. "What people are failing to see here is that one identity thief is probably doing $100,000 worth of those crimes." Totaled up, their crimes cost consumers -- including healthcare purchasers -- tens of billions of dollars each year in higher prices to make up for the theft losses, Drew says. "The feds need to take this on, and they're just brushing it off."