Briefing Paper – Responses to Medical Identity Theft: Eight best practices for helping victims of medical identity theft

Version 1: October 16, 2007


The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These 8 best practices are a work in progress. The World Privacy Forum has released these practices to encourage discussion of what needs to be done by the healthcare sector in order to help victims of medical identity theft. The Forum is soliciting and requesting feedback on these practices.

Related materials: The 8 best practices/ responses were first presented to AHIMA delegates in an October 9 speech. The speech is available here: (WPF AHIMA speech)


National level procedures

There needs to be a national level set of procedures to standardize how providers and insurers should handle medical identity theft. The procedures should come from a consensus process that includes health information management professionals, patient representatives, consumer groups, insurers, privacy groups, and others. The standards need to address how to help victims recover from this crime.

There needs to be uniform but appropriately flexible answers to these questions:

  • What do we do when a patient claims fraud is in their files?
  • What do we do when a patient says the bills are for services did not receive?
  • What do we do for patients and other impacted victims when we uncover a fraudulent operation?
  • When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
  • What do we do when a provider has altered the patient records?
  • How do we handle police reports and requests for investigation from victims?


Red flag alerts

Red flag alerts in the financial context make financial institutions affirmatively react to the potential presence of fraud in order to protect consumers and themselves. Financial fraud red flag alerts have applicability to medical identity theft. In the medical identity theft context, a red flag alert would be placed in a victim’s health care records to alert providers and insurers of potential fraudulent activity. The health care sector needs to create specific red flag guidelines for use in the medical identity theft context.


John or Jane Doe file extraction

Health information managers will be familiar with this concept already. If fraud can be substantiated, the victim’s file is purged of all information that was entered as a result of the fraud. Sometimes, this may be part of the file, in some cases the entire file may belong to the thief. If the thief is unknown, the fraudulent information is completely removed from the victim’s file and held separately so there is no danger of mis-treatment due to factual error in the file. That separate file is the Jane or John Doe file. The victim’s file and the extracted file are then cross referenced, allowing for a retraceable data trail for any audits.


Dedicated, trained personnel available

Dedicated personnel trained to respond to this crime should be available at each facility. Small providers can have dedicated regional personnel to help. It is in the providers’ or insurers’ best interest to resolve this crime, and it is in the victims’ best interest to be able to actually talk to a person about what has happened. There needs to be a designated person trained in the complexities of medical identity theft on hand to help both the victim and the institution.


Focus on the right approach: Insider, not outsider

The preponderance of medical identity theft occurs through insider methods that are extremely difficult for providers to detect, even after the fact. Even when internal file browser controls and other controls are in place, unless there are safeguards with extensive checks, then bad actors on the inside of institutions can commit this crime on a grand scale. For example, in the Cleveland Clinic/ Machado case, there were existing controls on downloads of files. The criminal still was able to exceed her download limit regularly, and she sold in excess of 1,100 patient files.

Many institutions have been focusing on checking patient IDs as the primary solution to medical identity theft. While checking patient IDs will help with the one-to-two person and familial types of medical identity theft, the research does not support that this is where the bulk of the crime is. There is significant variability between providers and situations, it is therefore crucial to accurately assess and focus on all aspects of where the crime is occurring. Checking patient IDs will not stop insiders, and this needs to be taken into careful consideration by stakeholders.


Risk assessments specifically for medical identity theft

Most health care institutions already have risk assessments in place. The risk assessments need to be expanded to include medical identity theft scenarios. The assessment should include outsider threats, but should also have a strong focus on the insider threat scenario as well.


Training materials and education for the health care sector

Many individuals and institutions working in the health care sector are not yet aware of medical identity theft. Health care sector leaders need to begin health care sector-focused education focused on increasing awareness of the crime, its operations, and how it impacts victims. Ideally, an education plan would be able to also discuss a national set of standards for dealing with the aftermath of medical identity theft with the purpose of helping victims.


Education for patients and victims

Providers and other stakeholders in the health care sector need to begin patient and victim education regarding medical identity theft. The education should focus on increasing:

  • Awareness of the crime
  • Awareness of the benefits of requesting a full copy of the health care files from all providers proactively
  • Awareness of the need to guard insurance and Medicare/ Medicaid card numbers as carefully as social security numbers
  • Awareness of the need to pro-actively request an annual listing of all benefits paid by insurers
  • Awareness of the need to educate data breach and financial identity theft victims about the potential for medical identity theft variations of the crime