Medical Identity Theft: Discussion – Definition of Medical Identity Theft
Definition of Medical Identity Theft
Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity – such as insurance information or Social Security Number– without the victim’s knowledge or consent to obtain medical services or goods, or when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.
Medical identity theft is an information crime and a health crime that can have medical, financial, and other impacts. In this crime, a victim’s medical identity is stolen or appropriated in some way. Victims’ financial life may be impacted, and there may be other complicating factors. However, the essence of this crime is the use of a medical identity by a criminal, and the lack of knowledge by the victim. Medical identities are readily found in medical files and insurance records. Electronic versions of medical identities appear in electronic health records  (EHRs) or large databases, but the essence is the same: in medical identity theft, a victims’ medical identity is compromised. 
Medical identity theft is a crime that has many operational models. For the purposes of separating medical identity from the plethora of health care fraud and identity theft crimes, this report considers one of the essential hallmarks of medical identity theft to be the use of identity information that results in the falsification of the victims’ medical charts with information related directly to the crime, not the actual conditions the real patient has.
Medical identity theft can be seen as a subset of health care fraud. But it is not just that, because the crime can also have financial and other life-consequences. Medical identity theft therefore also needs to be understood in its context as an information crime, that is, as a crime involving theft or abuse of identity information, and as a crime that makes individuals victims in addition to the providers and insurers who may directly bear financial losses.
Operationally, based on known cases, a single thief can steal one or more identities. A doctor can steal patients’ identities, as can a clinic or other health provider. It is not unusual in medical identity theft to find cases where entire crime rings purchase hundreds of patient names and insurance information then alter medical files and diagnoses to make millions of dollars in a few months, then move on to new victims.
Medical identity theft can be detected, but typically not by traditional reporting methods associated with financial identity theft. For example, victims may never have their credit cards or credit score affected by this crime. But they may be turned down for jobs, and may potentially have serious medical complications from the crime. For example, victims who have erroneous information put into their health record due to an imposter’s activity in their name could receive improper treatment if the errors go undetected by the victim.
Fraud or Identity Theft?
In the identity theft literature, there is a debate over what parts of the crime are “identity fraud,” and what parts are “identity theft.”  There is not currently a consensus on this definitional issue, and this lack of clarity has impacted a number of survey instruments that quantify identity theft. For example, some do not include credit card fraud in the definition of identity theft. Others do. What most people can agree on is that when a person takes over the identity information of another and uses it without consent, that can be called identity theft.
In health care fraud, definitions are even more controversial because of the complexity of those crimes. Numerous kinds of health care fraud exist, and this report does not propose to delve into the deep definitional issues in that field. 
This report is a first attempt to define this subset of health care fraud and identity theft. As statistics become available, definitions may sharpen and we may gain a better understanding of the crime.
Underlying Thinking: What Medical Identity Theft is Not
It is important to discuss an underlying aspect of this report’s definition of medical identity theft, and that is what is intentionally left out. The following types of health care fraud and identity theft cases were not considered as part of medical identity theft:
- Some health care fraud cases involve the alteration of patient information, but are not medical identity theft. For example, a doctor who wants to cover up a medical error may alter patient charts. This is not medical identity theft. The hypothetical doctor falsified records, but did not take over or abuse the identity information of the patient, although the doctor surely abused the patient.
- Some identity theft cases occur in medical settings, but are not medical identity theft. For example, if a hospital worker steals patient credit cards or other financially-related identity information and goes on a shopping spree at a mall, that is not medical identity theft but more traditional financial identity theft. In this situation, the medical identity of the person was not impacted, even though their financial information was used.
A razor-thin line exists between some cases of health care fraud. This narrow line can be seen in comparing the following two cases.
• In the case where numerous victims in Southern California were allegedly given medical tests by non-physicians and had false diagnoses inserted into their medical files by a sophisticated, organized network of medical imaging companies, the individuals actively recruited Medicare beneficiaries with the promise of free transportation, food, and medical care. The alleged perpetrators, posing as doctors and health professionals, obtained the victim’s personal information and photocopied the victim’s Medicare cards.  In this case, the victims’ information was taken, and the victims did not know their information was going to be used for further billing for visits they never made. The lack of knowledge and consent here is the key point.
Compare the previous case with another case:
• A licensed cardiologist operated on patients, allegedly giving them invasive heart procedures they did not need, for example, angioplasties. Two patients died as a result of the invasive operations. In this case, this was not identity theft, because the patients knew they were being operated on, and a real physician was operating on them. These victims may have been victims of health care fraud and malpractice, but they did not experience medical identity theft as defined in this report. 
 Electronic Health Record (EHR) is one of many terms that describe digitized patient medical and health records. Another term is Electronic Medical Record (EMR.) This report is using the term Electronic Health Record (EHR).
 Medical identity theft as the World Privacy Forum is defining it should not be confused with financial identity theft that occurs in a medical setting. See the section: “Underlying Thinking: What Identity Theft is Not” in this report.
 An identity theft literature review may be found at <http://www.ncjrs.org>. Type in the search term “identity theft” at the site’s search box.
 A definitive review of health care fraud issues may be found in Malcolm K. Sparrow, License to Steal: How Fraud Bleeds America’s Health Care System (Westview Press, 2000)..
 United States v. Dzugha, No. 5:05-cr-00589-JF, Indictment at 4–7 (N. Cal).
 United States v. Bainbridge Management, No. 1:01 cr 0049, Superseding Indictment (N.D. Ill).
Roadmap: Medical Identity Theft – The Information Crime that Can Kill You: Part II Discussion – Definition of Medical Identity Theft