ID Theft Infects Medical Records
Victims face bogus bills and risk injury or death. Privacy laws make such fraud hard to pursue
By Joseph Menn
Los Angeles Times Staff Writer
September 25, 2006
After shoulder surgery last year, Lind Weaver was stunned when hospital bill collectors demanded that she pay for the amputation of her right foot.
“Either you didn’t do the surgery, or you did a really [shoddy] job of it,” Weaver told them, sending along notarized photos of her toes, all still attached. “Either way, I’m not paying.”
But the 56-year-old retired schoolteacher quickly discovered she was dealing with something more nefarious than a simple clerical error: An identity thief had obtained medical care under Weaver’s name and had the bill sent to her insurer.
A year later, Weaver is still trying to catch errors in her medical records and clear the hospital bills fraudulently run up in her name.
“It became a 40-hour-a-week job,” Weaver said. “I put my phone to my ear and sat there listening to elevator music.”
Although the most typical of the millions of identity theft cases in the U.S. each year involve credit cards, a 2003 federal report estimated that at least 200,000 instances involved medical identity fraud. Experts believe that the rising cost of healthcare is driving more identity theft, and that many people are unaware they have become victims unless they receive a hospital bill or query from their insurer.
“There’s no reason to assume the patients ever find out,” said Harvard University management professor Malcolm Sparrow, an expert on regulatory agencies who has written books on healthcare fraud. “The bulk presumably remain invisible.”
With their medical records compromised, victims of this kind of fraud face a greater risk of injury or even death if doctors make treatment decisions based on bad information. Files might list incorrect prescriptions or the wrong blood type. Or, as in Weaver’s case, an erroneous diagnosis of diabetes.
Bad information can also put careers and insurance at risk. Many employers, including more than a third of the Fortune 500 companies, demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation. Health and life insurance companies routinely scan medical files or payout reports before issuing new policies.
Victims, though, often find that clearing their medical records of bad information is much more difficult than fixing credit reports, which are centralized in three major credit bureaus.
Consumers have the right to obtain one free credit report annually, and to demand an investigation of information they believe is fraudulent or incorrect. Unverified reports must be removed promptly.
Medical records, in contrast, can be scattered across dozens of doctors’ offices, hospitals and clinics. And federal privacy rules intended to protect private information can make it difficult for patients to even obtain their own records when identity theft is suspected.
“These privacy rules might put you in a situation where you can’t even investigate,” said Wilma Kidd, chief privacy officer at WellPoint Inc., the largest U.S. health insurer for employees and other groups.
A big reason most people never find out about erroneous records is the Health Insurance Portability and Accountability Act of 1996. The law can make it difficult for patients to see their own medical records, since the penalties for improper disclosure prompt some hospitals to set up roadblocks including demands for multiple forms of identification.
The bitter twist on medical identity theft is that once a person tells a keeper of records that someone else’s data might be intermingled, the file becomes even harder to obtain. Why? Because it includes another person’s medical history, which many hospitals argue can’t be turned over without consent.
Even when patients do see their records, they have no automatic right to fix errors they find.
As she battled collection agencies last year, Weaver fought to see her medical files. She suspected that someone had used her identity to obtain a foot amputation, but hospital officials wouldn’t help.
Weaver marched into the hospital waiting room in Bunnell, Fla., and started shouting that the doctors didn’t know who their patients were.
That got her service in a hurry. After she was shown to a consulting room and given the file, she soon thought she had weeded out her impostor’s medical history.
In May, Weaver suffered a heart attack at her home in Palm Coast, Fla., and was in and out of consciousness.
When she awoke in her hospital room two days later, a nurse asked Weaver what drugs she had been taking to treat her diabetes. Weaver has never had diabetes, a disease that can lead to foot problems severe enough to require amputation.
“They could have given me insulin,” Weaver said. “There’s a whole different heart procedure that covers people with diabetes.”
Diabetes experts said those procedures would have been unlikely to threaten Weaver’s life. A hospital spokeswoman declined to answer questions about Weaver’s case.
Weaver doesn’t know how her identity was compromised, but identity fraud is easy when so many in the medical field have access to intimate records and patients are admitted without having to prove who they are.
At New York homeless shelters, state Medicaid identification cards once could be rented for as little as $2 a day, said Harvard’s Sparrow, who has seen overlapping pregnancies claimed under the same name. In Veterans Affairs hospitals, some eligible veterans have their identities assumed by brothers or cousins who have easy access to their documents, said Richard Ehrlichman, the department’s assistant inspector general.
Sometimes it’s the doctors who commit identity fraud to collect insurance payments for work they didn’t perform.
A Boston-area psychiatrist, Richard Skodnek, was convicted a decade ago of fraud after falsifying diagnoses, treatment sessions and entire patient histories. His victims, some of whom discovered that their insurance benefits had been exhausted, had to struggle to clear their records.
In perhaps the most sensational case, a Chicago podiatrist under grand jury investigation for exaggerating the work he performed shot and killed one of his patients in 2002 when she refused to lie on his behalf. Ronald Mikos was convicted of the murder last year.
Many insurance companies have hotlines for reporting fraud against them, and they sometimes refuse to pay suspicious hospital bills. But that often doesn’t do the identity theft victims any good: They still have to make their own cases to the hospitals, the bill collectors and the credit agencies.
In Weaver’s case, getting the insurance company involved made things worse.
After Weaver realized she was being billed for an amputation she never had, she told her insurance company, which refused to pay as well. In the hospital’s eyes, that left Weaver responsible for the whole $66,000 surgery bill, instead of just her deductible.
Collection agencies didn’t care about her explanation. Each tacked on a fee and resold the collection contract to the next agency down the line. That made correcting Weaver’s credit report especially difficult, because after she established that she wasn’t responsible for one amount billed on a certain day, the credit bureau would receive notice of a new amount with a different date, even though it was based on the same bogus debt.
Even when identity theft victims avoid health complications, the legal side effects can be terrible.
Anndorie Sachs of Salt Lake City found that out in April during a phone call from Utah’s social services department. The social worker told Sachs that her hospitalized infant had tested positive for methamphetamine. The state planned to take away the baby, along with her siblings at home.
Sachs, a mother of four, said that she hadn’t delivered a baby in two years.
“I was freaking out,” said Sachs, 27. “She was not going to believe a word. She said: ‘You’re Anndorie Sachs. You’re on the birth certificate. We know your other kids are being exposed to this too.’ “
After the social worker grilled Sachs’ 7-year-old about whether her mother had been to the hospital lately, the agency relented.
Months earlier, Sachs’ driver’s license was stolen from her husband’s car. It eventually emerged that a woman named Dorothy Bell Moran had used that license when she checked into the hospital to give birth.
Already wanted on other charges related to identity theft, authorities said, Moran hadn’t wanted to use her own name for fear of getting caught. (She was later arrested on the earlier charges.)
Sachs had to hire a lawyer to disentangle the legal and medical records, and she is still fighting a collection agency over the medical bill.
As with Weaver and other victims interviewed, the Utah hospital cited the health insurance law and refused to show Sachs her files after she told them someone else’s paperwork was included. After Sachs went to the local media, officials agreed to delete both women’s records.
Just to be safe, when Sachs contracted a kidney infection, she chose a hospital that neither she nor the impostor had used. But some records had been shared electronically, and the hospital had the impostor’s blood type down as Sachs’ — setting up a possible fatal error.
Fortunately, staffers had drawn blood and double-checked. When they reviewed other data with Sachs, she found they also had the wrong emergency contact name and number.
The increased use of electronic records such as the ones that dogged Sachs could worsen the spread of medical errors caused by identity theft.
In the last year, the Senate and the House have passed broad bills pushing for wider use of electronic health records. Supporters, including many big technology firms and insurers, said the plan would increase efficiency, reduce error rates and provide earlier warnings about public health problems.
Such a system could also make correcting medical errors easier — but only if patients catch them beforehand, and only if the service providers agree to change them.
As the web of electronic distribution expands beyond the current pilot projects, more people will see medical records. That could increase identity theft while making existing errors harder to resolve, said Joanne McNabb, chief of the California Office of Privacy Protection.
“There is added risk that we’ve seen all over the place with electronic data,” McNabb said. “It can go to the wrong place at the wrong time very easily.”
Keeping tabs on health records
Under the federal law known as the Health Insurance Portability and Accountability Act of 1996, medical providers have wide latitude to disclose records to others in the field, as long as they tell the patient they are doing so. They are also supposed to show the patient most of those files, with limited exceptions such as the notes of mental health professionals. But hospitals worried about fraud often demand multiple forms of identification and set up other bureaucratic hurdles to patient viewing. They can refuse patient access altogether if someone else’s records are intertwined with the patient’s.
To guard against identity theft, patients should:
- Ask to see their medical files from each provider on a regular basis;
- Scan medical and insurance bills for services, medicine and equipment they didn’t receive;
- Demand an annual list from their health insurance company of benefits that have been provided.
If medical records have been compromised:
- Ask the healthcare providers to delete the incorrect information and contact everyone they have shared that information with, as required by the health insurance act;
- Ask the providers for a list of those recipients, and follow up with them;
- Clean up records with the health insurer and make sure the provider has not passed along improper benefit reports to insurance databases;
- Scrutinize credit reports for unpaid medical bills;
- File a police report;
- Contact the Federal Trade Commission and state health and insurance departments.
Sources: World Privacy Forum, Times research
Copyright 2006 Los Angeles Times