Medical identity theft a more prevalent occurrence

When Joanna Saenz opened her mail one summer day several years ago, she got quite a shock.

The news? Joanna Saenz had delivered a baby girl, born July 1, 2006, in Nebraska, and now it was time to pay the hospital bill.

But Saenz didn't have a daughter, and she had never been in Nebraska.

The baby's mother had appropriated Saenz's identity using a birth certificate and Social Security card stolen 10 years ago from Saenz, then 17, when she was in Mexico visiting relatives.

Saenz's story was told in Philadelphia last week by a lawyer with the Federal Trade Commission who was talking about identity theft in general and medical identity theft in particular to a group of consumer advocates at a session at Temple University.

Although coincidental, the session's timing was on the mark. On Oct. 19, the day after the session, two local affiliated health insurers said they had lost the records of more than 280,000 people.

"It is certainly a significant problem," said the FTC lawyer, Lisa Schifferle, in an interview later. "It can turn people's worlds upside down."

Saenz agreed.

"That woman consumed my life for 10 years," said Saenz, now 27, of the person who stole her identity. Saenz is the founder of Identity Recovery of Colorado, a nonprofit organization dedicated to helping victims of identity theft.

"That woman had an education, houses, and cars in my name," Saenz said.

In Pennsylvania, only seven of the 285,691 records missing from the local insurers included Social Security numbers. But many other records included names, addresses, health-plan identification numbers, and personal health information, according to a spokeswoman for the two companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan.

In the realm of identity theft, medical identity theft is a relatively small slice, compared with incidents of theft stemming from stolen credit card information.

"The breaches of medical information tend to be a lot smaller than the financial breaches, simply because of the number of transactions involved," said Paul Stephens, director of policy and privacy for the Privacy Rights Clearinghouse, an advocacy group based in California.

But, because medical records are so complete, they can pose an even greater risk, said Lance Haver, the city's director of consumer affairs.

Medical records often include payment data, leading to financial and credit fraud.

Particularly prized, Haver said, are medical records involving painkilling drugs like OxyContin.

"That's a valuable commodity that can be sold on the street," he said. "But the secondary problem is that the person who needs the painkillers can be blocked from getting them because that order has been filled."

Even more frightening, Haver said, is the possibility for a life-threatening error as the medical histories of thief and victim become intertwined over time. A person with an allergy could be given the wrong medicine or the wrong blood type in an emergency.

The problem can be difficult to resolve because the same federal laws that protect patient privacy also limit how much clerks for doctors or insurers can talk to patients about problems in their records.

The majority of medical identity thefts occur because the computers or portable devices that hold the data are lost or stolen, experts say.

Probably the biggest example was the theft of medical records of 26.5 million veterans and members of the National Guard and Reserves in 2006. A laptop containing the data was stolen from the home of a Veterans Administration employee.

Several organizations maintain databases of data security breaches. The U.S. Health and Human Services website lists data breaches involving 500 or more people.

The Privacy Rights Clearinghouse culls news reports and websites for incidents and publishes an extensive database sortable by category, method, and date.

For 2009 and 2010, it reported 184 health-care data incidents, with the records of 5.2 million individuals breached. In terms of numbers of people, only a handful of those incidents involved a breach as large as Keystone and AmeriHealth's with 285,691 records.

Here are some of the recent largest cases on Clearinghouse's list:

In Gainesville, Fla., two laptops were stolen from an insurer resulting in a breach involving 1.1 million members.

A Bronx health insurer said records of 409,262 people were discovered unerased on a digital copier's hard drive. The copier was found in a New Jersey warehouse.

In Massachusetts, a hospital hired a data-management company, which lost records for 800,000 people.

The site also lists some recent smaller cases in Pennsylvania and New Jersey.

Highmark Inc., Pennsylvania's largest insurer, had a breach involving 3,700 people when its premium bill to Boscov's Department Store was destroyed in the mail.

Children's Hospital of Philadelphia said that a laptop was stolen from a car outside an employee's home. The laptop had contained Social Security numbers and other information for 942 patients.

On June 30, Aetna Inc., the region's second-largest insurer, reported that records including Social Security numbers and medical information for 7,250 people were left in a file cabinet being tossed as part of an office move.

Thomas Jefferson University Hospital notified 21,000 patients on July 23 that a laptop with their health and personal information on it was stolen from one of its offices.

Privacy Rights Clearinghouse, a nonprofit advocacy and research group dealing with all types of privacy issues - medical and not: http://go.philly.com/privacy1

The U.S. Department of Health and Human Services' policy on medical privacy: http://go.philly.com/privacy2

EndText