Identity Theft in Health Care Facilities

Faith Mondry, J.D.

United States Postal Inspector

TYPES OF ID THEFT

• Theft of patient identifiers by employee

• Theft of patient identifiers by non-employee

• Theft of employee information

• Theft of “paper” records, HR and/or medical

• Theft of digitized records, HR and/or medical

Ripped from the headlines:“Identity Theft Reported by 33%

of Healthcare Organizations”InformationWeek, November 9, 2010 article ID 228200516

• Theft of patient identifiers by an employee or contractor

• “Operation Quick Change”• U.S. Postal Inspection Service

Case, reported 3/25/2010, Chicago Tribune, janitorial employee alleged to have stolen patient identifiers out of files at night while she was cleaning medical offices

Ripped from the headlines: “Former Holy Cross Hospital employee pleads guilty to ID

theft”-Sun Sentinel, 1/26/2011

Fort Lauderdale, FL ER clerk alleged to have sold patient identifiers for cash

Can this type of theft be prevented?

• Best practices for pre-employment screening…do the most thorough background check available to your facility!

• Ask contractors to do the same• Ensure that all personal identifiers are

handled on a “need to see” basis• Ensure that all personal identifiers are

properly secured

• Theft or misuse of identifiers by non-employee

• How many stolen laptops do we need to read about before we get the point???

Ripped from the headlines:

“Stolen laptop contained Sebastopol substance abuse

patient information”

-www.pressdemocrat.com/article 20110114, January 14, 2011-physician’s laptop was stolen at a New York hotel

Can this type of theft be prevented?

• Restrict patient information and access devices leaving the facility

• Ensure that any information leaving the facility is encrypted and password protected

• Ensure that a policy is in place- and that employees are trained to follow it- when sensitive information goes on the road

Classic “medical identity theft”

• Patients use another identity to obtain medical services

• Fraudulent medical records lead to fraudulent billing to insurance companies

• consequences when drug allergies or interactions are under the radar with false patient identities

Ripped from the headlines:“ID theft at the doctor’s office”

-New Beauty Magazine, March 26, 2009

The “Big-Bust Bandit” in Orange County, CA used another woman’s identity to undergo liposuction and breast

augmentation at the Pacific Center for Plastic Surgery

Where do you keep personal identifier information?

• Digitized files on desktops and laptops– Who has access? Where are the computers

located? Is the area secure from non-critical viewing and usage?

– What about after hours?

Where do you keep personal identifier information?

• Paper files should be secured…even during the day when offices are occupied– File cabinets where information is stored

should be outside of public/non-critical viewing areas and should have restricted access when practical

How well does your physical layout protect you from identity

thieves?

Where do you place your incoming and outgoing mail?

• Postal Inspector…I have to ask.

What do you do when a breach occurrs?

• If an employee is the identity thief…REPORT IT TO LAW ENFORCEMENT and follow institution’s protocol for victim notification

• If a non-employee is the identity thief…REPORT IT TO LAW ENFORCEMENT and follow institution’s protocol for victim notification

Privacy Issues

• Legal issues regarding disclosure to law enforcement

• Risk of fraud/ID theft and continued victimization vs. legal requirements to protect patient privacy

• Crime on premises

Whom do you report it to?

• State and local law enforcement

• Federal law enforcement

• Depends upon the nature/scope of the crime

QUESTIONS???