Identity Theft in Health Care Facilities
Faith Mondry, J.D.
United States Postal Inspector
TYPES OF ID THEFT
• Theft of patient identifiers by employee
• Theft of patient identifiers by non-employee
• Theft of employee information
• Theft of “paper” records, HR and/or medical
• Theft of digitized records, HR and/or medical
Ripped from the headlines:“Identity Theft Reported by 33%
of Healthcare Organizations”InformationWeek, November 9, 2010 article ID 228200516
• Theft of patient identifiers by an employee or contractor
• “Operation Quick Change”• U.S. Postal Inspection Service
Case, reported 3/25/2010, Chicago Tribune, janitorial employee alleged to have stolen patient identifiers out of files at night while she was cleaning medical offices
Ripped from the headlines: “Former Holy Cross Hospital employee pleads guilty to ID
theft”-Sun Sentinel, 1/26/2011
Fort Lauderdale, FL ER clerk alleged to have sold patient identifiers for cash
Can this type of theft be prevented?
• Best practices for pre-employment screening…do the most thorough background check available to your facility!
• Ask contractors to do the same• Ensure that all personal identifiers are
handled on a “need to see” basis• Ensure that all personal identifiers are
properly secured
• Theft or misuse of identifiers by non-employee
• How many stolen laptops do we need to read about before we get the point???
Ripped from the headlines:
“Stolen laptop contained Sebastopol substance abuse
patient information”
-www.pressdemocrat.com/article 20110114, January 14, 2011-physician’s laptop was stolen at a New York hotel
Can this type of theft be prevented?
• Restrict patient information and access devices leaving the facility
• Ensure that any information leaving the facility is encrypted and password protected
• Ensure that a policy is in place- and that employees are trained to follow it- when sensitive information goes on the road
Classic “medical identity theft”
• Patients use another identity to obtain medical services
• Fraudulent medical records lead to fraudulent billing to insurance companies
• consequences when drug allergies or interactions are under the radar with false patient identities
Ripped from the headlines:“ID theft at the doctor’s office”
-New Beauty Magazine, March 26, 2009
The “Big-Bust Bandit” in Orange County, CA used another woman’s identity to undergo liposuction and breast
augmentation at the Pacific Center for Plastic Surgery
Where do you keep personal identifier information?
• Digitized files on desktops and laptops– Who has access? Where are the computers
located? Is the area secure from non-critical viewing and usage?
– What about after hours?
Where do you keep personal identifier information?
• Paper files should be secured…even during the day when offices are occupied– File cabinets where information is stored
should be outside of public/non-critical viewing areas and should have restricted access when practical
How well does your physical layout protect you from identity
thieves?
Where do you place your incoming and outgoing mail?
• Postal Inspector…I have to ask.
What do you do when a breach occurrs?
• If an employee is the identity thief…REPORT IT TO LAW ENFORCEMENT and follow institution’s protocol for victim notification
• If a non-employee is the identity thief…REPORT IT TO LAW ENFORCEMENT and follow institution’s protocol for victim notification
Privacy Issues
• Legal issues regarding disclosure to law enforcement
• Risk of fraud/ID theft and continued victimization vs. legal requirements to protect patient privacy
• Crime on premises
Whom do you report it to?
• State and local law enforcement
• Federal law enforcement
• Depends upon the nature/scope of the crime
QUESTIONS???
Top Related