ID Theft in Health Care Emerging as Major Risk

Risk managers should make prevention of identity theft a top priority, says healthcare risk expert

Health care records are a "treasure trove of information" for identity thieves because they typically contain more detailed personal information on people than could be found in any other business, according to experts who help health care providers avoid identity theft.

Risk managers should make prevention of identity theft a top priority, says Thomas McShane, JD, regional managing director of the New York City office of the investigative firm SafirRosetti, which specializes in the area of financial investigative services and integrity monitoring. His unit implements legal, auditing, investigative, research, and technical support, and they recently used many of these services to uncover a major Medicaid fraud case at Staten Island University Hospital that led to several convictions. As a result of that case, SafirRosetti was appointed to a 12-year monitorship by the hospital's insurance company.

McShane works on identity theft issues with James Murray, a forensic accountant and managing director with SafirRosetti in New York City. Murray says instances of identity theft are increasing in all types of businesses, but health care organizations are proving to be a particularly fertile hunting ground for criminals in search of personal financial data. There is no way to guarantee that patients' confidential information will not be divulged, he says, but there are steps you can take to minimize that risk.

Murray points out that health care organizations are doubly burdened when it comes to protecting confidential information because they have data on employees and patients. Staten Island University Hospital has 3,500 employees. "There have been instances where employees of that hospital have had their identities stolen," Murray says. It's important to include employee data in discussions about identity theft, he says. "You probably have as much confidential information on your employees as you do on your patients, if not more."

McShane notes that if a criminal obtains personal information about a hospital employee, that person's identity can be stolen, but the information might also be used to gain access to secure areas of the hospital computer system, where much more information can be stolen.

Screening employees for criminal history is critical, the experts say. Murray recalls working with a company that hired a director of sales and promoted him quickly to president of a subsidiary company, then called in SafirRosetti to investigate financial improprieties. They found out that the man had written his application for the sales job from prison. Once he had access to information on the company's employees, he stole their identities and leased five cars in their names.

"We recommend to all our clients that they do at least a basic background check on all new hires, and the more senior the person or themore sensitive the position, the more you should a very thorough investigation," McShane says. "Anyone who will have access to sensitive information should be screened, and that can be a lot of people in health care. The entire billing department, for starters."

In addition to a criminal background check, it may be appropriate to do a credit check on people in sensitive positions such as the billing department. Murray says a bankruptcy or other financial hardshipcould put the person at higher risk of criminal activity, including identity theft. Remember that it usually is necessary to obtain permission from the applicant before doing a credit check. Steps for preventing identity theft in health care

This content continues onto the next page...