ID Theft: Steps for Preventing FraudHealthcare Organizations Lead Charge with New Controls
A former Florida hospital worker entered a guilty plea in an ID theft case involving the sale of patient information gleaned from accident victim's electronic records. The case highlights that healthcare organizations, as well as those in other business sectors, must be vigilant in their efforts to prevent all forms of ID theft that can lead to fraud.
In the Florida case, prosecutors charged that Dale Munroe, a former registration worker in the emergency department of Florida Hospital in Celebration, inappropriately accessed 760,000 electronic health record files, obtaining information about patients involved in motor vehicle accidents. Munroe sold information on about 12,000 patients to co-conspirators who used it to solicit patients for lawyers and chiropractors, authorities said (see: Selling Records for Profit Alleged).
Munroe pleaded guilty to one count each of conspiracy and wrongful disclosure of identifiable health information. He faces a maximum penalty of 15 years in federal prison. Sentencing has been set for Jan. 14, 2013.
The Florida case illustrates how ID theft opens the door to fraud. In healthcare, another common form of fraud involves using stolen or borrowed insurance IDs to obtain coverage. A recent study by the Ponemon Institutefound that a large portion of medical ID theft involves this type of "Robin Hood" fraud.
U.S. households experienced about $13.3 billion in direct financial losses due to identity theft in all sectors in 2010, according to the most recent figures from the U.S. Bureau of Justice Statistics, Among households with losses of at least $1, the average loss was about $2,200.
Preventing ID Theft
Role-based access controls can help thwart ID theft triggered by inappropriate access to medical records, as in the Florida case.
"Role-based access control, enforced by an automated identity management solution, is the foundation for ensuring that staff cannot access records inappropriately," says David Sheidlower, chief information security officer at Health Quest Systems, a healthcare provider in New York.
Hospitals also should have anonymous compliance hotlines so that staff members feel comfortable reporting any suspected compliance violation, he says. "This helps protect the organization. It is important to advertise the hotline number widely and to be sure it can be a truly anonymous call."
Some healthcare organizations are devising other creative ways to combat ID theft.
At Sharp Healthcare, the San Diego-based integrated delivery system took action after two former Sharp billing department employees pleaded guilty to felony ID theft. The staff members used patient financial information, Social Security numbers and names to impersonate patients and apply for credit cards to go on "shopping sprees," says CIO Bill Spooner.
"We now mask Social Security numbers on our display screens to prevent a dishonest employee from using that key identifier in the credit card application," Spooner says. The software that blocks patients' Social Security numbers from appearing on employee computer displays was devised by one of Sharp's vendors, Spooner says.
Sharp also is using biometric technology to help fight another big ID theft problem: Uninsured individuals using the insurance ID numbers of others to obtain services.
"We implemented palm vein scanning as an additional identity factor," Spooner says.
The biometric technology has been used for about two years in many of Sharp's hospital and clinic admitting areas. But because use of the tools is not mandatory, "the mechanism is not 100 percent effective," he says.
Insurance fraud involving stolen identities is difficult for healthcare providers and payers to tackle, says Lee Arian, staff vice president of program integrity at Wellpoint, a health insurer that's part of an anti-fraud coalition launched this summer by the Department of Health and Human Services.
Some insurance card holders willingly provide their ID to be used by relatives or others who don't have coverage, Arian says. As a result, medical ID fraud often goes unreported or is more difficult to detect.
Most healthcare providers are becoming more vigilant in fighting types of medical ID fraud that involves false credentials, Arian says. "Many will ask a person for their driver's license or other ID along with the medical ID card," he says. But he acknowledges that fraudsters can use fake drivers' licenses other IDs as well.
While biometric technology, including fingerprint and palm scanners, could help thwart ID theft, there are a few big hurdles in implementing the technology, Arian contends.
"There are logistical problems, like who will cover the cost," he says. Also, many physicians feel uncomfortable asking patients for fingerprints. Plus the use of biometrics to fight ID fraud raises new privacy concerns, including the security of storing and managing the biometric data.
Impact on Treatment
Medical ID theft potentially can lead to serious medical treatment errors, says Eric Cowperthwaite, chief information security officer at Providence Health & Services in Seattle.
"If my medical ID is used by someone else to get treatment, that care becomes part of my medical record," he says. And that raises serious potential patient safety issues, especially if the information is shared among providers.
"In the past, ID theft targeted retail and financial services," he says. "But for healthcare, it's one of the biggest issues moving forward."