ID Theft in Health Care Emerging as Major Risk

Health care records are a "treasure trove of information" for identity thieves because they typically contain more detailed personal information on people than could be found in any other business, according to experts who help health care providers avoid identity theft.

Risk managers should make prevention of identity theft a top priority, says Thomas McShane, JD, regional managing director of the New York City office of the investigative firm SafirRosetti, which specializes in the area of financial investigative services and integrity monitoring. His unit implements legal, auditing, investigative, research, and technical support, and they recently used many of these services to uncover a major Medicaid fraud case at Staten Island University Hospital that led to several convictions. As a result of that case, SafirRosetti was appointed to a 12-year monitorship by the hospital's insurance company.

McShane works on identity theft issues with James Murray, a forensic accountant and managing director with SafirRosetti in New York City. Murray says instances of identity theft are increasing in all types of businesses, but health care organizations are proving to be a particularly fertile hunting ground for criminals in search of personal financial data. There is no way to guarantee that patients' confidential information will not be divulged, he says, but there are steps you can take to minimize that risk.

Murray points out that health care organizations are doubly burdened when it comes to protecting confidential information because they have data on employees and patients. Staten Island University Hospital has 3,500 employees. "There have been instances where employees of that hospital have had their identities stolen," Murray says. It's important to include employee data in discussions about identity theft, he says. "You probably have as much confidential information on your employees as you do on your patients, if not more."

McShane notes that if a criminal obtains personal information about a hospital employee, that person's identity can be stolen, but the information might also be used to gain access to secure areas of the hospital computer system, where much more information can be stolen.

Screening employees for criminal history is critical, the experts say. Murray recalls working with a company that hired a director of sales and promoted him quickly to president of a subsidiary company, then called in SafirRosetti to investigate financial improprieties. They found out that the man had written his application for the sales job from prison. Once he had access to information on the company's employees, he stole their identities and leased five cars in their names.

"We recommend to all our clients that they do at least a basic background check on all new hires, and the more senior the person or themore sensitive the position, the more you should a very thorough investigation," McShane says. "Anyone who will have access to sensitive information should be screened, and that can be a lot of people in health care. The entire billing department, for starters."

In addition to a criminal background check, it may be appropriate to do a credit check on people in sensitive positions such as the billing department. Murray says a bankruptcy or other financial hardshipcould put the person at higher risk of criminal activity, including identity theft. Remember that it usually is necessary to obtain permission from the applicant before doing a credit check. Steps for preventing identity theft in health care

Thomas McShane, JD, regional managing director of the New York office of the investigative firm SafirRosetti, and James Murray, a forensic accountant and managing director with the firm, recommend these risk reduction strategies for identity theft:

*Build on the strategies you already have in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA focuses more the accidental release of information, many of the same policies and procedures in place for HIPAA compliance will give you a good starting point to enact additional steps to prevent thetheft of data.

*Work closely with your information technology (IT) department to develop the appropriate technical defenses, such as firewalls, encryption, and password policies. While the IT techies may have the know-how about defensive procedures, the risk manager must impress upon them the importance of preventing identity theft and the potential liability for a breach. Make sure the IT department knows it will be a very bad day if a multimillion-dollar liability following an identity theft scandal is traced back to poor computer security.

*Educate all employees, including and especially the front line clerks and office workers, about simple steps to reduce identity theft.Examples include never walking away from a computer and leaving sensitive material on the screen, and never writing down a password whereit can be found easily.

*Perform a risk assessment to determine what information is available on the system and where. How many different computer systems contain sensitive data? Can it be centralized into one system where you can pour all your security resources? A key goal is to ensure that computers — whether they are desktop or laptop — do not contain any unnecessary data that could be useful to an identity thief.

*Assess compliance with your own policies and procedures. It is common for health care organizations to have safeguards that look greaton paper but aren't followed by employees. Employees must be reminded and re-educated about the importance of these security steps on a regular basis.

When you test compliance, you're likely to find out 30% of the employees aren't following your procedures, McShane says. "They're doingit the old way because they don't want to change, or they think the new procedure is too much trouble, or they're just careless," he says. "Don't depend too much on the fact that you've put out this policy and you're assuming everyone follows it."

One of the biggest risks when trying to protect patient information involves the use of laptop computers. Murray and McShane says risk managers must work closely with their information technology staff toensure that laptops contain only the data necessary for the user andthat the information is protected by passwords or encryption. Employees also must understand that the laptops are at a high risk for theft and should be protected at all times.

It is all too easy for someone to walk off with a laptop that contains sensitive information. For instance, Murray points to a recent incident at Vassar Brothers Medical Center in Poughkeepsie, NY, which reported that a laptop computer stolen from the facility contained a copy of the hospital's entire master patient database. That database made it a gold mine for any identity thief.

In announcing the theft, the hospital did not say exactly how manynames were contained in the database but noted that 257,800 of thosewhose names were in the database were at risk of becoming identity theft victims. They were at risk because the database contained other personally identifiable information on those patients, such as SocialSecurity numbers and addresses.

The hospital reported that the computer theft occurred during a hospital disaster planning exercise. The hospital copied its master database to several laptops for a disaster drill on May 21, simulating the need to operate during a disaster without access to the facility'smain computer system. The master database was placed on several laptop computers that were distributed throughout the facility.

The stolen laptop had been strapped to a cart in the hospital's emergency department and used to collect patient data at the bedside during admission. The hospital reports that since the theft, it has erased copies of the database that were on other laptop computers. The hospital notified those whose information was on the laptop and advised them to place a fraud alert on their credit reports. (See box for more examples of stolen computers and identity theft in health care facilities.) Stolen laptops and poor security can lead to ID theft

Consider these examples of identity theft in healthcare:

*A patient goes in to a hospital for preoperative testing and ends up with more than $8,000 charged to fake accounts in his name at stores across his state.1 In this case, a hospital spokesperson initially said there was no conclusive evidence that any hospital employee misused the surgical patient's personal information, but the arrest warrant said the person was able to obtain a credit card with information stolen by someone who worked at the hospital.

The warrant also said the employee stole patient information including names, birth dates, and Social Security numbers. That employee passed the information to the person who was arrested, who passed the information to an unidentified person in another state. The unidentified person would make up fraudulent operators' licenses and identification cards in the names of the patients, according to the warrants. The warrant identified that the hospital employee was fired from the hospital for violation of policy.

*A patient takes his son to the emergency department at the same hospital and ends up with a $24,000 debt at Home Depot for an account falsely opened in his name.2 According to the media report, theperson's name, date of birth, and Social Security number were used to open the Home Depot account. A third patient at the same facility, who had cancer and later died, also was a victim of identity theft. Police arrested an employee of the hospital's affiliated medical school who had access to hospital records, and she pleaded guilty to identity theft charges.

*A hospital notifies 25,000 patients that their identities may have been stolen after two contract employees are arrested on charges of stealing personal information from surgery and emergency patients and charging thousands of dollars on fake credit cards.3 According to a media report, both were employees of a photocopying company that the hospital hired to copy patients' medical records. The women also copied records for patients and attorneys. The photocopying firm says they are planning on conducting stronger background checks; however, the two arrested had no previous records. The hospital is offering credit monitoring and support for the affected former patients.