Medical Records Theft and Fraud

There's a Reuters article on new types of fraud using stolen medical records. I don't know how much of this is real and how much is hype, but I'm certain that criminals are looking for new ways to monetize stolen data.

Posted on September 26, 2014 at 12:44 PM • 14 Comments

Comments

AndySeptember 26, 2014 2:10 PM

It's very real. We have people walking into this facility, on a regular basis, with insurance cards that don't match their name on their ID.

BJPSeptember 26, 2014 2:23 PM

I guarantee you the most lucrative final destination for stolen medical data is insurance underwriters, drug marketers, and other legitimate firms that cannot access this information they REALLY want through any legal means.

Good luck proving your life insurance denial is due to the "has a resting heart rate of 110bpm and performs no vigorous physical activity ever" medical swiped from your Apple Watch.

milkshakeSeptember 26, 2014 3:57 PM

when I was living in Tucson 20 years ago, helpful people in the billing department in one of the major hospitals were giving "heads up" to a second mortgage predatory broker, whenever an under-insured patient was facing an expensive procedure and there was a question whether the patient could afford it...

65535September 27, 2014 3:52 AM

@ milkshake
“…one of the major hospitals were giving "heads up" to a second mortgage predatory broker, whenever an under-insured patient was facing an expensive procedure and there was a question whether the patient could afford it...”

That is a nasty scam.

I know there are plenty of people on the inside of the industry who give out medical information for money.

One of the most sizable scams is the number of former inmates who are now on the medical disability portion of SSI (for “mental problems”). In big cities like LA, SSI will disburse a lump sum of about 7K to 10K to former inmates and then provide a monthly annuity amount.


JohnSeptember 28, 2014 12:16 AM

I work in a relatively small health system. The idea that people are using this information to get healthcare is preposterous. Expensive tests that one would be motivated to steal, like an mri, are pre-certed. You're not getting it if your Id doesn't match the card. You can't just present a card and get it. You can't just use a made up number either, we verify coverage. Let's just say you did get the test through identity theft of someone insured, we don't do exams with out a doctor's order. That's another level of coverage and Id verification. when the eob comes to the insured, they're going to call the insurance. Do you think they need an excuse to deny a claim? likely, you can't just go to any facility, you'll have to stay in network and if they have a health record to steal they've been to the same facilities. Somebody might recognize that your not that person just by sight. By the way, you left your DNA and if you had head ct, the tech can do a 3d rebuild and show your face down to the last zit. Think the lab might notice a change in blood type? The radiologist is going to see older exams and know right away he's not looking at the same patient. Security tapes are being pulled as we speak. The report that you need is not going to be there because he's not reporting it. I don't buy that line of reasoning. In a perfect storm of identity theft, occasionally some might slip through but it's unlikely the benefits would ever outweigh the risk.Why not just come through the er like everyone else and just don't pay? I'm not convinced fraudulent billing is all that possible. Insurance companies have turned denying claims into an artform. If you're already providing medical services legitimately, you could fraudulently bill, but wouldn't you just use the patient information you already have? Wouldn't stolen records put you at more risk since you haven't dealt with them? Wouldn't the patient eventually get an eob and complain since they didn't get the scooter or lift chair you billed for?
The only other outlet is for underwriters and prospective employers. I'm not ruling out the death pool though.

Some guy from across the pondSeptember 28, 2014 9:47 AM

Hi thank you for the insightful comments. As someone who is unfamiliar with these this I have dome questions. I hop you don't mind.

what are: Insurance underwriters?

I had to read twice but I think I got this.
A second mortgage predatory broker is he just after the commission fee or is there more involved?

jaysonSeptember 28, 2014 12:52 PM

Most people on medicare don't read the eob, don't understand it, and don't care because they don't pay the bill. There are so many obscure charge codes that it is easy to add one and not be noticed.

A terminal cancer patient probably has a prescription for powerful pain killers that are administered as needed. These drugs have a high black market value. A thief could present a card for that patient and get a refill and it would not appear strange. Very sick people do not collect prescriptions in person. The local CVS clerk can be fooled if the thief has the patient SSN and other info.

There is already a problem with hospice aids who steal these medication from terminal patients they care for. This is hard to track and often not reported. The system is so convoluted and twisted that it is easy to see how fraudsters can scam it.

ZSeptember 29, 2014 6:49 PM

Regarding patients reading EOBs, that's not a strong security check. I'm a lawyer, and one of my practices is suing health care insurance companies. I carefully read all my family's EOBs. Over the last 5 years, they have become unintelligble, even to me.

The provider's name is often different than the name I know for them. The procedures aren't described in a way that is meaningful to the patient. A single procedure might be billed in multiple lines across different EOBs. Conversely, multiple procedures might be rolled up into a single billing entry. The stated "date of treatment" roughly, but not exactly, aligns with the actual date the treatment was received. Also, EOBs aren't given for prescriptions. In short, they're a mess.

My guess is that the fraud isn't receiving treatments for the wrong insured. My guess is that the fraud is billing for treatments that were never given. I'd wager that Medicare recipients' information is more valuable, since Medicare is far less likely to investigate phantom treatments than private insurers.

Andrew_KSeptember 30, 2014 12:39 AM

I am more concerned about (ab)use for marketing and other social engineering purposes, ranging from avertisements or clever pretexting as a specialist who mis-dialed on the phone to coercion of persons with mental problems (which is almost a classic leverage).

vas pupSeptember 30, 2014 10:29 AM

@jayson:"The system is so convoluted and twisted that it is easy to see how fraudsters can scam it." Yes, you are absolutely right. Most of scams utilized vulnerability of system design and its complexity for understanding by seniors in particular. In civilized settings (e.g. Germany - Benny will object if I am wrong) patient responsibility is to pay premium, but not to resolve all financial/billing issues between health provider and insurance company. That is their responsibility, not patient's.
@Z. The strange thing is that by default the financial resposibility of patient and his/her insurance is not shared, but solidary which I guess is wrong in a core. As soon as health care provider accept and verified insurance coverage with insurance company and get pre-approval, the patient resposibility and insuranse company responsibility become shared with shares divided between both based of coverage approved. In this case health provider's statement that insurance is beteween patient and insurance company, not between insurance company and health provider should become irrelevant/il-founded. The last but not least, some health providers licensensed by Gov to practice medicine do not accept Gov issued insurances at all (Medicaid or Medicare). That is absolutely insane.

TRXOctober 1, 2014 3:56 AM

> There is already a problem with hospice aids who steal these
> medication from terminal patients they care for.

I once had a part-time job at a pharmacy, delivering drugs to nursing homes. I eventually found out that many of the people in nursing homes were there because they required powerful pain medication, and if they lived at home or with a relative, someone would steal their meds.

BJPOctober 1, 2014 8:35 AM

@Craig McQueen:

Take your pick.

"NHS patient data to be made available for sale to drug and insurance firms"
http://www.theguardian.com/society/2014/jan/19/nhs-patient-data-available-companies-buy

"Your medical records are for sale"
http://www.businessweek.com/articles/2013-08-08/your-medical-records-are-for-sale

"How the insurer knows you just stocked up on ice cream and beer"
http://online.wsj.com/news/articles/SB10001424127887323384604578326151014237898

"Your doctor knows you're killing yourself. The data brokers told her"
http://www.bloomberg.com/news/2014-06-26/hospitals-soon-see-donuts-to-cigarette-charges-for-health.html

"How your doctor and insurer will know your secrets even if you never tell them"
http://www.businessinsider.com/hospitals-and-health-insurers-using-data-brokers-2014-7

Need more?

SchneieronSecurityFanOctober 3, 2014 9:55 AM

One way that fraudsters obtain information about individuals is to bribe administrative employees in doctor's offices or to pay for the prospective employees' education.

This type of information was obtained in order to file fraudulent income tax returns and get refunds.

Another point from the article is the old computer hardware and software that is still in use. About five or six years ago, I was in a doctor's office that had in the front office a Windows Vista computer running a Windows 3.x or MS-DOS program from 1990. I couldn't believe it ran. Hopefully, I think a lot has changed since then.

Another potential place for theft is the applicant and employee records kept by employment agencies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.