When an internist in Johnson City, Tennessee, discovered that a former employer had obtained his Medicare billing number and used it to submit more than $2 million in bogus claims, he started to worry that his entire career was in jeopardy. He became even more concerned when he learned he was under investigation by the U.S. Department of Health and Human Services.

The Tennessee physician had fallen victim to one of the newest and most devastating crimes to come down the information superhighway: identity theft. Physicians may not be at greater risk than anyone else for having their identity stolen, but they do make appealing and vulnerable targets for crooks familiar with the medical industry’s billing and payment practices.

For example, California’s Bureau of Medi-Fraud and Elder Abuse (BMFEA) has uncovered several elaborate schemes in which thieves steal the identities of physicians and patients to defraud the Medi-Cal program of millions of dollars.

Increasingly Widespread Problem
The term identity theft (also known as identity fraud) refers to any crime in which someone wrongfully obtains and uses another individual’s personal data to commit a fraud or deception, typically for economic gain. Identity theft usually involves two victims: the person whose information is stolen and used, and the commercial victim who is cheated out of services, merchandise or money.

In 1998, identity theft was criminalized by federal law through the “Identity Theft and Assumption Deterrence Act.” Violations of the measure may be investigated by any federal investigative agency—including, but not limited to, the United States Secret Service, the Federal Bureau of Investigation, the United States Postal Inspection Service and the Office of the Treasury Inspector General for Tax Administration.

Violations are prosecuted by the Department of Justice. In most cases, the crime carries a maximum term of 15 years’ imprisonment, a fine and forfeiture of any personal property used, or intended to be used, to commit the offense.

A large and growing number of people suffer significant financial and emotional harm from the crime. More than half of all complaints the Federal Trade Commission (FTC) tracked in 2003 concerned identity theft. Some 215,000 cases were reported to the FTC in 2003, up from approximately 162,000 the previous year.

The agency estimates that in 2002 alone, the U.S. had nearly 10 million identity theft victims. Over the past five years, the total number in the country has been a staggering 27.3 million.

Between April 2003 and April 2004, “phishing” —one of the newest scams in identity theft—cost victims more than $1.2 billion. Phishing involves identity thieves sending out e-mails that appear to be from nationally known businesses and other legitimate-sounding entities, asking the recipients to verify their user name, account number and access code. According to recent research, these scams fool one in 20 people.

In the past, the main ways to carry out identity theft were by stealing purses, retrieving credit card applications from the mail or trash, or engaging in computer hacking. No longer. A 2002 study conducted by the Chicago-based credit bureau Trans-Union Corp. indicated that most cases now involve the theft of personal information by employees.

In other words, they’re likely to be inside jobs committed by dishonest people in positions with access to people’s personal information.

According to Joanna Crane, manager of the Identity Theft program at the FTC, many thefts are committed by individuals who are authorized to be on company property but who should not have access to such sensitive data. Indeed, some temporary workers actually seek to be hired in order to steal personal information. In other cases, long-term employees sell personal data to crime rings, which then use it to commit fraud.

Criminal Prosecution Under HIPAA
Recently, a medical technician at the Seattle Cancer Care Alliance was sentenced to 16 months in prison, making him the first person to be criminally prosecuted for violating the privacy provisions of the Health Insurance Portability and Accountability Act.

The technician will also be required to pay $15,000 in restitution to the cancer patient whose name, birth date and Social Security number he used to obtain credit cards, with which he charged more than $9,000 in purchases.

“To be a vulnerable cancer patient fighting for your life, and have to cope with identity theft, is just unconscionable,” said U.S. Attorney John McKay. “This case should serve as a reminder that misuse of patient information may result in criminal prosecution.”

Measures to Help Protect Yourself
The following are some suggestions on how to protect yourself from identity theft:

• Run background checks on potential employees; implement internal financial controls in your practice.
• Ask patients to tell you if they get statements from insurers for services you did not perform.
• Keep prescription pads in a safe place; protect your Medicare, DEA and employer tax numbers.
• Shred documents containing personal information when they are no longer needed.

Perhaps most important: Give out your Social Security number only when absolutely necessary. According to the California Department of Consumer Affairs’ Office of Privacy Protection:

• You do not need to carry your Social Security card in your wallet or purse; leave it at home.
• If you’re uncomfortable giving a particular business your number, ask if they’ll accept a different form of identification.
• If a government agency requires you to give your number, the agency must disclose the legal authority underlying the requirement, as well as what the agency will do with the number.

For more information about protecting your Social Security number, log on to www.privacy.ca.gov/sheets/cis4english.htm.

California Attorney General Bill Lockyer urges anyone who suspects the unauthorized use of the identities of doctors and/or patients to contact BMFEA’s Hotline at 800/722-0432 and the California Department of Health Services’ Medi-Cal Fraud Hotline at 800/822-6222.