Nightmarish is the word one hears most often in connection with medical identity theft, Ms. Dixon said. Because there are no laws, there is no one to call for help. The crime should be reported to local police, but that is usually futile, and if the victim notifies anyone else, he or she may be reporting the crime to the same people who committed it.
Explore This IssueMay 2007
One of the big problems, according to the WPF report, is that victims fall through law enforcement gaps-chasms, really-because no one agency knows how to help.
For example, financial identity theft experts know little about medical affairs or the complexities of the Health Insurance Portability and Accountability Act (HIPAA). The FTC is not responsible for medical issues, and the federal Department of Health and Human Services has no published studies or guidance about medical identity theft, which is not the same as health care fraud.
Mr. Long called health care organizations particularly vulnerable, saying that some employees are induced to provide rosters of patient names to crime rings. Moreover, partly because of HIPAA as well as other circumstances, the thieves get away with it because there are no big fines, no jail time, and no enforcement of the existing weak regulations, he said.
Medical identity theft is relatively easy to commit now-and it will become easier as paper-based records are changed to electronic ones via the National Health Information Network and disseminated to huge numbers of people who may or may not have legitimate access to them.
Current policy maintains that digitizing medical records will improve care, reduce fraud and errors, and save lives. This can be true, but committing private and sensitive data to cyberspace is an open invitation to steal, Ms. Dixon maintained.
The more digitized the health care system becomes-and there’s no stopping now-the greater the problem of medical identity theft. There’s too much cheerleading about electronic records on the part of government administrators, insurance companies, and others, and not nearly enough emphasis on its downside: what it does to patients whose data are stolen. I don’t know of any electronic program that has had risk- assessment studies prior to implementation.
Ms. Dixon said that she is not opposed to electronic records- although paper does protect people-but if there was a risk-management process in place, things might be okay. Making the system hack-proof is a daunting task, but it must be done.