Identity theft cases jump radically, outpatient surgery is at risk

Recent cases show need for you to address problem proactively

A patient goes in to a hospital for preoperative testing and ends up with more than $8,000 charged to fake accounts in his name at stores across his state.1

• Another patient takes his son to the emergency department at the same hospital and ends up with a $24,000 debt at Home Depot for an account falsely opened in his name.2

• Another hospital notifies 25,000 patients that their identities may have been stolen after two contract employees are arrested on charges of stealing personal information from surgery and emergency patients and charging thousands of dollars on fake credit cards.3 Police says dozens of patients have come forward and said they were victims of identity theft at that facility. (See details of these three cases.)

Identity theft at health care facilities is a growing trend. "We’ve seen a tenfold increase at medical billing companies where suspects come from the billing companies and are hired by the hospital through an outside agency," reports Sgt. Pete Grimm of the Redondo Beach, CA, police. In one case of identity theft, a thief was able to obtain a second mortgage on the victim’s house, Grimm says.

Some health care facilities have reported break-ins in which the only thing stolen was medical records, says Waldene K. Drake, RN, MBA, vice president of risk management and patient safety at Cooperative of American Physicians-Mutual Protection Trust (CAP-MPT) in Los Angeles. For that reason, have good close-up procedures at the day’s end, "maybe having two persons close up so there is no question that all was locked up appropriately," she advises.

Consider having medical records and files protected by alarms and motion detectors, sources suggest.

Outpatient surgery programs may be particularly vulnerable to identity theft because staff may be copying patient records for anesthesiologists, insurers, peer review organizations, and primary care physicians, says Stephen Trosty, JD, MHA, CPHRM, director of risk management and continuing medical education at American Physicians Assurance Corp. in East Lansing, MI. "The reality of it is, there isn’t any 100% foolproof method to totally avoid it," he admits.

However, outpatient surgery managers can take steps to help prevent private information from being stolen. Consider these suggestions:

• Determine whether it is necessary to obtain Social Security numbers from patients.

When possible, avoid putting patient’s Social Security numbers in their paperwork or on their wristbands, Trosty suggests.

Determine if you must use Social Security numbers as patient identifiers, Trosty suggests. In some instances, the answer still may be yes, he says, "but that’s changing," he adds. "As that changes, health care entities need to keep up with those changes."

Many insurers are moving away from using Social Security numbers as identifiers because of the increase in identity theft, he points out. However, it may be necessary to continue to obtain those numbers for Medicare and Medicaid patients because governments typically use those numbers as patient identifiers, Trosty says. One option for other patients, and one that usually satisfies insurers, is to use the last four digits of a Social Security number, he adds.

• Ensure background checks are performed on employees and contract workers.

Perform background checks on your new hires, and if you contract for an outside service, ensure that the service is conducting these checks, Trosty says.

"Ideally, you’d like to see if they’re taking bonds on employees," Trosty says. "Some may not." There are two advantages to their having bonded employees, he says. First, if there is identity theft, money is available to uncover the crime and offer restitution, Trosty says. Additionally, to be bonded, employees have to undergo a background criminal check, he says. "If you say, We only want to use bonded employees,’ it provides financial protection if needed, but it’s also an indirect way to find out if employees are clear."

• Limit access to patient records.

Ensure access to particular information in a record, such as a Social Security number, is on a need-to-know basis, Trosty says. To ensure that access is limited, install appropriate passwords and firewall protections in your electronic systems, he advises.

• Establish policies about removing medical records from your facility.

"One of our doctors called to say she had several charts in her possession and laid them down somewhere traveling from a store to the hospital, and they were lost," Drake says.

• Adequately secure patients’ valuables during surgery.

Ensure that patients’ wallets, which often have identification cards, and other valuable aren’t stolen during surgery, Trosty advises. While some facilities put valuable items under the gurney or stretcher, you may want to insist that patients bring a relative or friend to hold their valuables during surgery to avoid them being taken, he says.

• In the case of identity theft, notify appropriate parties.

Some state laws require you to notify patients if you know of identity theft, Drake says. "A loss of patient information probably also should be reported to the police," she adds.

Also there are requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to correct the violation of privacy, take action against employees who violate HIPAA, and notify patients, sources say.

• Communicate expectations to employees.

Ensure employees and contracted employees are clearly taught about the confidentiality of patient records and the criminal intent charges that can occur, Trosty advises. "If someone is really determined to do identity theft, it won’t prevent it, but you can show that, as part of your orientation or inservice, you reiterated the legality of that," he says.


  1. Backus L. Hospital identity theft, Jan. 31, 2005. Accessed at
  2. Cohn A. Police connect hospital to identity theft cases. WTNH, May 25, 2005. Accessed at
  3. Kaiser South Bay patients’ information stolen. KCAL. Accessed at


For more information on how to prevent identity theft, contact:

  • Federal Trade Commission. Web: Click on "consumers" and then "identity theft." Move your cursor to "business" on the left side of the page and then click on "Assisting Victims," "Dealing with a Data Breach," "Business Publications," and "Resources."