ID theft in health care emerging as major risk

Health care records are a "treasure trove of information" for identity thieves because they typically contain more detailed personal information on people than could be found in any other business, according to experts who help health care providers avoid identity theft.

Risk managers should make prevention of identity theft a top priority, says Thomas McShane, JD, regional managing director of the New York City office of the investigative firm SafirRosetti, which specializes in the area of financial investigative services and integrity monitoring. His unit implements legal, auditing, investigative, research, and technical support, and they recently used many of these services to uncover a major Medicaid fraud case at Staten Island University Hospital that led to several convictions. As a result of that case, SafirRosetti was appointed to a 12-year monitorship by the hospital's insurance company.

McShane works on identity theft issues with James Murray, a forensic accountant and managing director with SafirRosetti in New York City. Murray says instances of identity theft are increasing in all types of businesses, but health care organizations are proving to be a particularly fertile hunting ground for criminals in search of personal financial data. There is no way to guarantee that patients' confidential information will not be divulged, he says, but there are steps you can take to minimize that risk.

Murray points out that health care organizations are doubly burdened when it comes to protecting confidential information because they have data on employees and patients. Staten Island University Hospital has 3,500 employees. "There have been instances where employees of that hospital have had their identities stolen," Murray says. It's important to include employee data in discussions about identity theft, he says. "You probably have as much confidential information on your employees as you do on your patients, if not more."

McShane notes that if a criminal obtains personal information about a hospital employee, that person's identity can be stolen, but the information might also be used to gain access to secure areas of the hospital computer system, where much more information can be stolen.

Screening employees for criminal history is critical, the experts say. Murray recalls working with a company that hired a director of sales and promoted him quickly to president of a subsidiary company, then called in SafirRosetti to investigate financial improprieties. They found out that the man had written his application for the sales job from prison. Once he had access to information on the company's employees, he stole their identities and leased five cars in their names.

"We recommend to all our clients that they do at least a basic background check on all new hires, and the more senior the person or the more sensitive the position, the more you should a very thorough investigation," McShane says. "Anyone who will have access to sensitive information should be screened, and that can be a lot of people in health care. The entire billing department, for starters."

In addition to a criminal background check, it may be appropriate to do a credit check on people in sensitive positions such as the billing department. Murray says a bankruptcy or other financial hardship could put the person at higher risk of criminal activity, including identity theft. Remember that it usually is necessary to obtain permission from the applicant before doing a credit check. (See box below for more advice on how to reduce the risk of identity theft.)

Steps for preventing identity theft in health care

Thomas McShane, JD, regional managing director of the New York office of the investigative firm SafirRosetti, and James Murray, a forensic accountant and managing director with the firm, recommend these risk reduction strategies for identity theft:

  • Build on the strategies you already have in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA focuses more the accidental release of information, many of the same policies and procedures in place for HIPAA compliance will give you a good starting point to enact additional steps to prevent the theft of data.
  • Work closely with your information technology (IT) department to develop the appropriate technical defenses, such as firewalls, encryption, and password policies. While the IT techies may have the know-how about defensive procedures, the risk manager must impress upon them the importance of preventing identity theft and the potential liability for a breach. Make sure the IT department knows it will be a very bad day if a multimillion-dollar liability following an identity theft scandal is traced back to poor computer security.
  • Educate all employees, including and especially the front line clerks and office workers, about simple steps to reduce identity theft. Examples include never walking away from a computer and leaving sensitive material on the screen, and never writing down a password where it can be found easily.
  • Perform a risk assessment to determine what information is available on the system and where. How many different computer systems contain sensitive data? Can it be centralized into one system where you can pour all your security resources? A key goal is to ensure that computers — whether they are desktop or laptop — do not contain any unnecessary data that could be useful to an identity thief.
  • Assess compliance with your own policies and procedures. It is common for health care organizations to have safeguards that look great on paper but aren't followed by employees. Employees must be reminded and re-educated about the importance of these security steps on a regular basis.

When you test compliance, you're likely to find out 30% of the employees aren't following your procedures, McShane says. "They're doing it the old way because they don't want to change, or they think the new procedure is too much trouble, or they're just careless," he says. "Don't depend too much on the fact that you've put out this policy and you're assuming everyone follows it."

One of the biggest risks when trying to protect patient information involves the use of laptop computers. Murray and McShane says risk managers must work closely with their information technology staff to ensure that laptops contain only the data necessary for the user and that the information is protected by passwords or encryption. Employees also must understand that the laptops are at a high risk for theft and should be protected at all times.

It is all too easy for someone to walk off with a laptop that contains sensitive information. For instance, Murray points to a recent incident at Vassar Brothers Medical Center in Poughkeepsie, NY, which reported that a laptop computer stolen from the facility contained a copy of the hospital's entire master patient database. That database made it a gold mine for any identity thief.

In announcing the theft, the hospital did not say exactly how many names were contained in the database but noted that 257,800 of those whose names were in the database were at risk of becoming identity theft victims. They were at risk because the database contained other personally identifiable information on those patients, such as Social Security numbers and addresses.

The hospital reported that the computer theft occurred during a hospital disaster planning exercise. The hospital copied its master database to several laptops for a disaster drill on May 21, simulating the need to operate during a disaster without access to the facility's main computer system. The master database was placed on several laptop computers that were distributed throughout the facility.

The stolen laptop had been strapped to a cart in the hospital's emergency department and used to collect patient data at the bedside during admission. The hospital reports that since the theft, it has erased copies of the database that were on other laptop computers. The hospital notified those whose information was on the laptop and advised them to place a fraud alert on their credit reports. (See box for more examples of stolen computers and identity theft in health care facilities.)

Stolen laptops and poor security can lead to ID theft

Consider these examples of identity theft in health care:

• A patient goes in to a hospital for preoperative testing and ends up with more than $8,000 charged to fake accounts in his name at stores across his state.1 In this case, a hospital spokesperson initially said there was no conclusive evidence that any hospital employee misused the surgical patient's personal information, but the arrest warrant said the person was able to obtain a credit card with information stolen by someone who worked at the hospital.

The warrant also said the employee stole patient information including names, birth dates, and Social Security numbers. That employee passed the information to the person who was arrested, who passed the information to an unidentified person in another state. The unidentified person would make up fraudulent operators' licenses and identification cards in the names of the patients, according to the warrants. The warrant identified that the hospital employee was fired from the hospital for violation of policy.

• A patient takes his son to the emergency department at the same hospital and ends up with a $24,000 debt at Home Depot for an account falsely opened in his name.2 According to the media report, the person's name, date of birth, and Social Security number were used to open the Home Depot account. A third patient at the same facility, who had cancer and later died, also was a victim of identity theft. Police arrested an employee of the hospital's affiliated medical school who had access to hospital records, and she pleaded guilty to identity theft charges.

• A hospital notifies 25,000 patients that their identities may have been stolen after two contract employees are arrested on charges of stealing personal information from surgery and emergency patients and charging thousands of dollars on fake credit cards.3 According to a media report, both were employees of a photocopying company that the hospital hired to copy patients' medical records. The women also copied records for patients and attorneys. The photocopying firm says they are planning on conducting stronger background checks; however, the two arrested had no previous records. The hospital is offering credit monitoring and support for the affected former patients.

References

1. Backus L. Hospital identity theft, Jan. 31, 2005. Accessed at www.zwire.com/site/news.cfm?newsid=3141153&BRD=1641&PAG=461&dept_id=10110&rfi=6.

2. Cohn A. Police connect hospital to identity theft cases. WTNH, May 25, 2005. Accessed at www.wtnh.com/Global/story.asp?S=3394079&nav=3YeXaJU3.

3. Kaiser South Bay Patients' Information Stolen. KCAL. Accessed at cbs2.com/topstories/local_story_005205257.html.

Laptops are like treasure chests for identity thieves, especially if they know that kind of database is on them, Murray says. "They can just walk out with it and work on cracking passwords and so forth at their leisure," he says. "You should exercise extreme caution, using your best security procedures, with any laptop that has sensitive information."

Sources

For more information on preventing identity theft in health care settings, contact:

  • Tom McShane, Regional Managing Director, SafirRosetti, New York City. Phone: (212) 817-6700. E-mail: tmcshane@safirrosetti.com.
  • James Murray, Managing Director, SafirRosetti, New York City. Phone: (212) 817-6700. E-mail: jmurray@safirrosetti.com.

Feds realizing risk from ID theft in health care

Federal officials are recognizing the risk of identity theft in health care settings and striking back. In a recent press conference, U.S. Attorney for the Southern District of Florida R. Alexander Acosta, JD, based in Miami, announced eight charges against Isis Machado of Miami Lakes, FL, who spent a year as a front desk coordinator at Cleveland Clinic's office in Weston, FL.

The 22-year-old Machado was accused of downloading the computerized personal information of more than 1,100 patients and then selling the data to a cousin, Fernando Ferrer Jr., 29, of Naples, FL, the owner of Advanced Medical Claims of Naples. Acosta says Ferrer is alleged to have used the names to send in $2.8 million in phony claims to Medicare.

Acosta notes that the case is unusual because, while state and federal agents often prosecute clinics and medical supply companies for fraud, the suppliers of the personal information usually are not known. Acosta used the case to remind health care providers that identity thieves can be virtually anyone connected with the health care system, including nurses, billing clerks, even hospital janitors who are in secure areas alone and at night, or the ambulance attendants who transport a patient's records along with the patient.

Acosta says Machado had access to Cleveland Clinic's computers as part of her receptionist duties from May 2005 through June 2006. She and Ferrer were charged with conspiracy to commit computer fraud, conspiracy to commit identity theft, conspiracy to wrongfully disclose patients' health care information, and aggravated identity theft. Machado and Ferrer could receive prison sentences of up to 10 years and a $250,000 fine for the first three charges but the five counts of aggravated identity theft each carry a mandatory two-year sentence in addition to the other charges.