ShareThisOne patient nearly received a transfusion of the wrong kind of blood -- a life-threatening mix up.
The cause? A bogus medical file that had been created by an identity thief. The criminal used the victim's name to obtain medical care. The criminal's blood type was recorded in the victim's medical records, leading to the almost fatal mistake.
"It was a close call," said Larry Ponemon, a nationally recognized authority on identity fraud. Researching medical identity theft, Ponemon found that case and another instance where medical identity theft had placed a victim's health in jeopardy. The second patient nearly got an inappropriate and unneeded procedure.
Ponemon, chairman of the Traverse City, Mich.-based Ponemon Institute, a think tank, declined to provide the individuals' names, nor the name or location of the health care system with the bad records, for privacy reasons.
"Those could have been deadly," Ponemon said of the incidents.
Affecting an estimated 1.5 million Americans overall, according to estimates from Ponemon, medical identity theft poses a threat beyond the headaches associated with fixing financial fraud: The crime alters your medical records and can compromise your care.
Unlike financial ID theft -- which can be flagged through credit bureaus -- there is no central source for checking your medical records, according to the Federal Trade Commission, the federal consumer watchdog agency.
Medical providers say that federal law hamstrings ID theft victims from seeing files created in their name: That's because medical records created about all patients -- including identity thieves who use your name - are covered by privacy rules in the Health Insurance Portability and Accountability Act (HIPAA), according to Lawrence Hughes, assistant general counsel for the American Hospital Association.
"You must protect all persons' information -- whether it is a real patient or a patient that has committed a case of identity theft," Hughes said.
For America's victims of medical ID theft, there is no system to identify and correct the damage left by an impostor. In fact, a Scripps Howard News Service investigation finds:
-- Medical providers are refusing to give ID theft victims access to records, invoking the privacy rights of the thieves, according to victims, experts and hospital officials. The only way for this to change is for federal authorities to create explicit rules to help medical ID theft victims, some say.
-- Even when hospitals are alerted about erroneous medical files, they have no systematic way to fix the records, experts say.
-- The move toward networked electronic medical records -- spurred by $19 billion from the 2009 economic recovery act -- may amplify the threat that incorrect records spread "quickly and broadly," according to a government-commissioned report.
For nearly five years, Joanna Saenz, of Denver, has tried to see the medical file created by an impostor at a Nebraska hospital. Saenz first learned of the medical care when a credit check revealed that the hospital, the Fremont Area Medical Center in Fremont, Neb., had billed her for a broken arm.
The suspected culprit was a woman who used Saenz's identity for years, obtaining for credit cards, a driver's license and other accounts, Saenz said. While living out this elaborate lie, the thief needed medical attention for a broken arm and, later, a pregnancy, Saenz said.
Saenz said she refuses to pay the impostor's bills.
The hospital has no record of anyone trying to access Saenz's file, according to a spokeswoman there.
"I am still trying to convince them to give me the records," said Saenz, 27.
Saenz said she is staying away from the area -- about 30 miles from Omaha -- on fear that if she needs medical attention there, her records might be wrong.
There are many ways criminals engage in medical ID theft. Common schemes include organized rings that defraud insurance companies and Medicare.
One such ring, busted last October, stands accused of submitting false patient claims on thousands of Medicare beneficiaries to steal more than $163 million, according to the U.S. Department of Justice. The New York-based enterprise made money by using the identities of doctors and patients to submit false claims, according to an indictment.
Methamphetamine abusers also steal identities to access prescription drugs or insurance payouts, according to the Justice department.
Thieves can gather medical information from a variety of places, including breaches from health care companies. Just this week California state authorities reported that Health Net Inc., an insurance company based in Woodland Hills, Calif., had lost personal information on 1.9 million current and past enrollees around the nation in January, and only now is making the breach public.
The risk of inaccurate medical records is mushrooming. As the medical industry replaces paper files with linked, electronic databases, the potential harm from inaccurate patient information will cascade, ID theft experts and data security analysts warn.
That's because in the electronic world, incorrect medical records will have an ever-greater chance of making their way to the doctors seeing the identity victims.
"You have someone else's medical history entangled in your medical records," said Linda Foley, founder of the Identity Theft Resource Center in San Diego.
Unaddressed medical identity theft can also take a financial toll. It can drag down a credit score and victims may have a harder time getting private insurance, experts said.
Federal authorities have been alerted. Months before the February 2009 Recovery Act set aside $19 billion for electronic health records, a report commissioned by the U.S. Department of Health and Human Services warned that the move to computerized medical files could spread false records "quickly and broadly."
Electronic record systems could move inaccurate files "across countless systems," making it more difficult for victims to remove mistakes, consultancy Booz Allen Hamilton wrote in an Oct. 15, 2008 report.
But even when ID theft victims determine which hospitals have the doctored records, they frequently cannot view the files, experts and ID theft victims said. When an identity theft victim asks to see records created by thieves, hospitals frequently deny them, citing HIPAA. The law safeguards medical patient privacy -- and hospitals have interpreted this to include ID thieves.
"There's a very significant Catch-22 that has not been resolved here," said Pam Dixon, executive director of the World Privacy Forum, a San Diego-area nonprofit that works with identity theft victims.
Both the U.S. Federal Trade Commission and Health and Human Services said that hospitals should give you access to the file created in your name. But those agencies acknowledge that medical providers sometimes deny ID theft victims access to the records.
Rick Kam, whose company helps hospitals respond to data breaches, said he knows why hospitals are not providing access to the records: They fear legal liability under HIPAA, said Kam, president of Portland, Ore.-based ID Experts.
What's necessary is a new law creating a medical ID theft victim's bill of rights, spelling out how a victim can access and correct the file and providing immunity for hospitals that do release the information, Kam said.
Even when hospitals grant access to the tainted records, they are not necessarily doing a good job fixing them, Ponemon said. His research has found that medical institutions have no consistent system for correcting the mistakes.
"There is not a set of standard procedures that we observed," he said. "You are relying on the judgment of individuals, and that is not a good thing."
(E-mail reporter Isaac Wolf at wolfi(at)shns.com)
(Distributed by Scripps Howard News Service, http://www.scrippsnews.com)
