Medical Identity Theft: Discussion – How People Have Discovered They are Victims of Medical Identity Theft

Report home | Read the report (PDF) | Previous section | Next section


How People Have Discovered They are Victims of Medical Identity Theft

Medical identity theft is a crime that hides itself well. It is a form of health care fraud, which, like other kinds of white-collar fraud, is not a self-revealing crime. [72] There is no way today to quantify or even guess at the percentage of victims who actually discover that their medical identities have been used fraudulently.

Statistics from the FTC address one aspect of this issue. The 2003 FTC Identity Theft Survey found that 52 percent of victims of financial identity theft discovered the misuse of their personal information “by monitoring the activity in their accounts.” This included examining monthly statements from banks and credit card issuers. The World Privacy Forum did find instances of medical identity theft victims who had “crossover impact” from perpetrators who also opened credit cards in their name, or who ran up large hospital bills that went to collections. These victims may see unusual bank or credit card activity.

But the kinds of fraudulent activity that prosecutions have documented suggest that many victims of medical identity theft will not have any unusual bank or credit card activity to alert them of the problem. As a result, victims of this crime should realistically not depend only on traditional “red flags” to alert them to trouble.

Based on cases the World Privacy Forum has studied, following are the primary ways victims have discovered medical identity theft.


Collection Notices

There is a pattern in medical identity theft crimes where perpetrators change the billing address and the phone numbers on the medical charts of victims. This is particularly true when a sophisticated ring has taken over a clinic or has stolen the identity of a doctor. [ 73] This creates a layer of insulation for the criminals because bill collectors usually can’t find the victims to alert them to a problem. But some of the “mom and pop” or “one-off” medical identity thieves can be sloppy, and this has led to some victims getting collection notices. This is what happened to a Birmingham, Alabama man.  [74]

• An acquaintance of the Birmingham victim stole his expired temporary drivers’ license and used it to receive emergency medical treatment in his name at several hospitals. Months later, the victim received a letter from an attorney demanding payment for an anesthesia group. The victim in this case was able to clear his name because an investigative reporter from a TV station helped him break through hospital red tape. The hospital was apparently reluctant to release the medical file to the victim. But the reporter was able to convince the hospital to compare a medical x-ray of the perpetrator’s and the victim’s right hand – which were markedly different, and thus cleared the victim’s name. The victim said his imposter’s activities added up to more than $10,000 in medical bills.

• In the Ryan case in Colorado, the victim received multiple collection notices from a hospital for $44,000 worth of services he had not received. On top of that, collection notices appeared on his credit report and created a subsequent drop in his credit score. [75] In Ryan’s case, he did not have insurance, so no insurance information was stolen. Even at that, Ryan’s financial life has been severely impacted by the medical identity theft. In researchers’ most recent discussion with Mr. Ryan, he has noted that his medical identity theft will likely cause him to lose everything “but his dog.” [76]


Credit Report

Consumers whose medical bills go to collections and whose identity information is used to open multiple accounts will see that activity on credit reports. Based on consumer complaints made to the FTC regarding medical identity theft, many of those victims were alerted after seeing a credit report.

However, it should be kept in mind that there are likely many more victims who simply did not find out they were victims because the criminals did not open other accounts beyond the medical accounts.


Receipt of Someone Else’s Bills

In 2005, a Lufkin, Texas medical identity theft victim received someone else’s medical bills. The bills came to the victim after the perpetrator used the Texas man’s identity to get medical treatment. The victim received the bills after the fact and filed a police report. [77]

One woman who complained to the FTC stated that she received a bill for her son for medical lab fees at a hospital when her son had never been to that hospital.

These incidents illustrate why its a good idea for consumers to review all bills and notices they receive concerning medical services. If there is a less sophisticated criminal, bills can tip victims off. But this is not something victims can rely on, however. Medical identity theft can be a sophisticated crime with professional operators that typically change billing addresses so this sort of thing doesn’t happen. Because of the high level of the criminal operators, it is more likely that victims will not know that their identities are being used.


Notification by Law Enforcement or an Insurance Company

When a fraud case comes to light, victims associated with those cases may be contacted by an insurance fraud investigator for a private insurance company, or by a member of law enforcement. In one situation like this, parents of teenagers were informed that their childrens’ psychiatrist had altered their childrens’ medical files to include diagnoses of “suicidal ideation” and other serious psychological illnesses that the children did not have.


Notification by a Health Care Provider

It is unusual for victims to be notified of medical identity theft by a health care provider, such as a doctor or a hospital. There have been a few reported cases, though. For example, a hospital near Albuquerque, New Mexico treated a woman for a toothache and prescribed her Oxycodone. When hospital staff called the patient to check on her condition, they discovered that the patient had impersonated her sister, and the sister’s identity information had been used multiple times to obtain medical services and prescription drugs. [78]


Medical Problem at an Emergency Room

The worst-case scenario is that a victim does not learn about medical identity theft, or only learns about it during the course of a medical emergency when obvious medical discrepancies that have been introduced into the medical file by the criminal are discovered.

False entries made to the medical file is common in medical identity theft, 79 what may be less common is for victims to find out about the changes.

• In a document sent to the FTC, a Florida woman stated that she went to receive medical treatment, and said she discovered that someone impersonating her had caused false entries to be placed in her medical file. The victim was able to catch errors relating to blood type in time. 80


Notification of Data Breach by a Medical Provider

Medical data breaches are serious business, because there is a long and well-substantiated history of criminals using lists of patient names in medical identity theft operations. [81] Criminals who have broken into hospital computers and have stolen patient identities for the purpose of medical identity theft may leave no other trail for victims other than a database breach notification by the breached organization.

One Jacksonville Florida consumer who complained in April 2006 to the Federal Trade Commission said that she had received a breach notification from a financial company. Later, a suspect used her name, date of birth, and Social Security Number at a dental office and charged $4,050 worth of services. The suspect also used the consumer’s Social Security Number for $950 of other medical services. [82]

Medical files belonging to Oregon and Washington patients were stolen in a health system database breach in December of 2005. A Beaverton resident was quoted in The Oregonian describing a strange experience: after the breach, he received an alert from his identity theft watch service to tell him that someone was trying to reassign his phone number. [83] Changing and reassigning victim’s phone numbers is a trick medical identity thieves have used to keep their victims in the dark about the crime.

This man probably did not know about how organized medical identity theft rings operate; in his case, he was fortunate to receive notification. A post-breach check of victims’ credit reports will usually not reveal medical identity theft, particularly if the perpetrator is a professional, as is typical with medical identity theft. Only a proactive check of insurance claims with all relevant insurers will provide the necessary clues to victims.


Denial of Insurance Coverage, Notification that Benefits have Run Out, or “lifetime cap” Has Been Reached

Another way victims have discovered medical identity theft is when they apply for medical and/or life insurance and are denied due to diseases reflected by their altered medical charts. In other cases, victims are notified that coverage for legitimate hospital stays are being denied because their benefits have been depleted, or that their lifetime cap has been reached. Sometimes, entire families can be victimized due to “looping.” Looping is a when a medical identity thief victimizes all insured members of the family one after the other, whether the victims are patients or not. After one victim’s benefits run out, the thief turns to the next member of the family until those benefits run out, and so on. [84]


Review of Explanation of Medical Benefits Notices

Some victims discovered medical identity theft when they found mistakes on their explanations of benefits notices. Medicare, Medicaid, and private insurers send these notices. In medical identity theft, the recipients’ addresses may be changed, but when this is not the case, the explanation of benefits notices can be helpful detection tools.

In California, a mother checked her mentally ill son’s explanation of benefits to find that Medicare had been billed for more than 70 respiratory treatments, even though her son did not have a respiratory condition. Medicare sent the son notices stating those benefits were paid, which was how this particular case came to light. The doctor in this case, which included other victims, fraudulently billed more than $7.6 million and was convicted of federal charges in 2005. [85]





[72] See discussion of this point in Malcolm K. Sparrow, License to Steal: How Fraud Bleeds America’s Health Care System at 120 (Westview Press, 2000).

[73] Author interviews with the FBI and Department of Justice. Also see Sparrow pages 132, 133. Also see public records on cases discussed in this report. For example, See Littleton Police Department Inclusive Case Report from January 17, 2006 re: Criminal Impersonation of Joe Ryan.

[74] Medical Identity Theft: What’s the Deal?, March 21, 2003. <>.

[75] See Littleton Police Department, Inclusive Case Report,Criminal Impersonation of Joe Ryan, pages 5, 6, and 11 (Jan. 17, 2006).

[76] Interview with Joe Ryan, April 2006.

[77] 5. The Lufkin Daily News, 15 July 2005, Police Report.

[78] Rozanna M. Martinez ,“Ex-Deputy Is Indicted On Charges of Fraud.”, 5 April 2006, Albuquerque Journal.

[79] See Jason Kandel, “Medi-Cal Fraud Flourishing on Black Market,” 7 August 2005, Los Angeles Daily News.

[80] Comment of L.Weaver in Federal Trade Commission, Identity Theft Victim Assistance Workshop,(Aug. 18, 2000), <>

[81] Interviews with Department of Justice by author.
82 World Privacy Forum FOIA to the Federal Trade Commission. FTC FOIA-2006-00601.

[83] Joe Rojas-Burke, “Providence critics push for safer records,” January 27, 2006. The Oregonian,

[84] See, e.g.,United States. v. Skodnek. 933 F. Supp. 1108, 1996 U.S. Dist. LEXIS 9788. (D. Mass. 1996.).

[85] See U.S. Department of Justice “Doctor and Biller Convicted in Multi-Million Dollar Medicare and Medi-Call Billing Scam,” Press Release, December 23, 2005. < >.



Roadmap: Medical Identity Theft – The Information Crime that Can Kill You: Part II Discussion – How People Have Discovered They are Victims of Medical Identity Theft


Report home | Read the report (PDF) | Previous section | Next section