The impostor in the ER

By Richard Rys

updated 8:38 a.m. ET March 13, 2008

Katrina Brooke felt well prepared for the birth of her son, Andrew, three Aprils ago. The only complication was her Caesarean section; otherwise, everything went smoothly. After three days in the hospital, Brooke returned to her home outside of Seattle to recover and enjoy her baby boy.

Three weeks later, as Brooke stood in her kitchen opening mail, she found a curious $94 bill from a local health clinic, a place neither she nor her husband had ever heard of. Stranger still, the notice was addressed to her newborn son: Andrew had apparently visited the clinic and been prescribed the painkiller OxyContin for a work-related back injury.

It seemed like a simple clerical error at first — one that might even have been funny, considering the only labor Andrew had been involved in was his own birth. But the more Brooke scrutinized the letter, the more concerned she grew. Andrew’s middle name was on the bill, and no one knew the baby’s full name but a handful of friends and family — as well as the hospital, where she had filed the paperwork for Andrew’s birth certificate, which included their family’s home address and Social Security numbers and Brooke’s maiden name.

A call to the clinic confirmed that a mystery man had used their child’s newly minted identity to obtain health care only one week after Andrew was born. The Brookes had become victims of a crime they’d never heard of: medical identity theft. “People aren’t aware of this unless it happens to them,” Brooke says. “When you first get the bill, you’re confused. Then when you delve into it, you think, What other information do they have? What else is going to happen to us now? At that point, it was scary.”

Luckily for the Brookes, the clinic agreed to waive its charges. But for many victims, the crime doesn’t surface until unthinkable damage has been done. The worst case: insurance maxed out to its lifetime limit, years spent untangling paper trails, and medical records permanently altered. Unlike a stolen credit card or savings account number, this kind of identity theft could be life-threatening. Imagine what could happen if someone else’s medical history was injected into your records: You could arrive at an ER and be given the wrong type of blood or be refused medication because your file says you are allergic. And because mistakes in medical records can be notoriously hard to expunge, you could spend years convincing doctors you weren’t actually diagnosed with the diseases, mental illness or substance-abuse problems appearing in your file.

According to a recent survey by the Federal Trade Commission (FTC), 3 percent of U.S. identity-crime victims had someone use their personal information — a Social Security number, an insurance policy ID, even a mere driver’s license — to obtain medical services or to profit from filing false claims in their name. That means nearly 250,000 Americans may be victims each year. For an increasing number of career criminals, health care workers and consumers struggling to keep up with bills, the lure of medical identity theft is too great to resist, notes Chris Dorn, a fraud expert with Ingenix, a health care fraud investigation firm in Eden Prairie, Minnesota. “The overall cost of health care has risen so much that it has become a valuable commodity,” Dorn says. “Any time you have 47 million Americans without adequate health care coverage, you will have people out there willing to steal it.”

The stakes are high
It took one phone call to make Anndorie Sachs, a mother of four in Salt Lake City, aware of how serious medical identity theft has become. She says that in April 2006, a Utah social worker notified her that her newborn had tested positive for methamphetamines — as a result, the state planned to take away all of her children. In fact Sachs, then 27, hadn’t been pregnant in more than two years; her stolen driver’s license had ended up in the hands of Dorothy Bell Moran, a meth user who gave birth using Sachs’s name. After a tense few days of phone calls with child services, Sachs was allowed to keep her kids. She then hired a lawyer to sort out the damage to her legal and medical records, and figured her worries were over.
Months later, when Sachs suffered a kidney infection, she was careful to avoid the hospital where Moran had used her identity. It didn’t matter: The thief’s records had circulated electronically and intermingled with her own. Moran’s emergency contact number was listed in Sachs’s file, and there may have been other mistakes, such as the thief’s blood type. Sachs — who has a blood-clotting disorder and for whom the wrong medication could be disastrous — was savvy enough to alert the hospital staff, who straightened out her charts before making a critical error. “Had [Moran’s] baby not tested positive for drugs, I wouldn’t have known anything about it,” Sachs says. “I have a hard time believing that everything is back the way it was before. It’s terrifying to think about.”

Consider the number of people who see your personal information when you become sick. “There are so many players,” says Robert Gellman, a privacy consultant and attorney in Washington, D.C. “Doctors, hospitals, pharmacies, labs, insurance companies — any single medical treatment can involve a half dozen entities.” To turn your life upside down, it takes only one person at one of those places willing to use her access as an opportunity for exploitation. In Florida, an office coordinator at the Cleveland Clinic in Weston printed out 1,100 patient records, then sold them to her cousin for $5 to $10 per patient, according to an FBI agent involved in the case. The World Privacy Forum, a nonprofit research group in San Diego, reports that prosecutors in New York, California and Florida have uncovered a technique that would make Tony Soprano proud: “clinic takeovers,” in which criminals buy a health care center, steal information from it to file false insurance claims, and then shut the whole thing down before anyone catches on.

It’s not just professional crooks working the system. In Miami, physicians sold their medical licenses and provider numbers to a clinic that racked up $6.5 million in false claims. A Boston-area psychiatrist altered records of his patients and their families to reflect sessions and diagnoses they didn’t have, then billed insurance companies for treatment he never provided. Then there are victims like Joanne Lomax of Philadelphia, a 32-year-old package handler who was surprised when her insurance rejected her claim for a $189 gynecological visit. She was even more stunned to learn why — only one annual checkup was covered, and another woman had already used Lomax’s name to pay for her own exam.

As Lomax learned, your insurance card isn’t just something you dust off for doctor’s appointments — in the hands of a thief, it becomes a credit card, a PIN and a license to spend. FTC numbers suggest that medical identity crimes may cost the U.S. economy $468 million per year. “This crime is so insidious,” warns Pam Dixon, founder and executive director of the World Privacy Forum. “It affects more people than you realize — and the stakes are as high as they can get.”

MORE FROM HEALTH CARE

Health care Section Front

Fentanyl deaths topped 1,000 over two years N.J. licenses to require organ donation decision Health officials back paperless prescriptions Singapore may pay donors for kidneys Pills to pillows: When to toss them Family sues for muscular dystrophy drug Surgeons taking kidneys through the navel ‘Cuckoo’s Nest’ hospital to be torn down Health insurance caps leave patients stranded Hospital bullies take a toll on patient safety Health care Section Front   Add Health care headlines to your news reader: