ID Theft in Health Care Emerging as Major Risk

Risk managers should make prevention of identity theft a top priority, says healthcare risk expert


The hospital reported that the computer theft occurred during a hospital disaster planning exercise. The hospital copied its master database to several laptops for a disaster drill on May 21, simulating the need to operate during a disaster without access to the facility'smain computer system. The master database was placed on several laptop computers that were distributed throughout the facility.

The stolen laptop had been strapped to a cart in the hospital's emergency department and used to collect patient data at the bedside during admission. The hospital reports that since the theft, it has erased copies of the database that were on other laptop computers. The hospital notified those whose information was on the laptop and advised them to place a fraud alert on their credit reports. (See box for more examples of stolen computers and identity theft in health care facilities.) Stolen laptops and poor security can lead to ID theft

Consider these examples of identity theft in healthcare:

*A patient goes in to a hospital for preoperative testing and ends up with more than $8,000 charged to fake accounts in his name at stores across his state.1 In this case, a hospital spokesperson initially said there was no conclusive evidence that any hospital employee misused the surgical patient's personal information, but the arrest warrant said the person was able to obtain a credit card with information stolen by someone who worked at the hospital.

The warrant also said the employee stole patient information including names, birth dates, and Social Security numbers. That employee passed the information to the person who was arrested, who passed the information to an unidentified person in another state. The unidentified person would make up fraudulent operators' licenses and identification cards in the names of the patients, according to the warrants. The warrant identified that the hospital employee was fired from the hospital for violation of policy.

*A patient takes his son to the emergency department at the same hospital and ends up with a $24,000 debt at Home Depot for an account falsely opened in his name.2 According to the media report, theperson's name, date of birth, and Social Security number were used to open the Home Depot account. A third patient at the same facility, who had cancer and later died, also was a victim of identity theft. Police arrested an employee of the hospital's affiliated medical school who had access to hospital records, and she pleaded guilty to identity theft charges.

*A hospital notifies 25,000 patients that their identities may have been stolen after two contract employees are arrested on charges of stealing personal information from surgery and emergency patients and charging thousands of dollars on fake credit cards.3 According to a media report, both were employees of a photocopying company that the hospital hired to copy patients' medical records. The women also copied records for patients and attorneys. The photocopying firm says they are planning on conducting stronger background checks; however, the two arrested had no previous records. The hospital is offering credit monitoring and support for the affected former patients.