Medical Identity Theft Plagued by Confusing Claims

The topic of medical identity theft makes the headlines one or two time per year. In spite of its rarity, it’s worth delving into this subject.

The elements that define private health information in the United States can be found in the Health Insurance Portability and Accountability Act (HIPAA).

Medical identity theft is the inappropriate or unauthorized getting, possession, use, or knowledge of individually identifiable health information to acquire medical services or goods, or to obtain money by falsifying claims for medical services and falsifying medical records to support those claims. Penalties are defined in the HIPAA privacy rule 42 U.S.C. § 1320d-6.

If you’re interested in cybercrime, you’ll find numerous and reliable statistics covering all aspects of those online misdeeds. Excellent Internet sources are the Federal Trade Commission, CyberSource, and the Internet Crime Complaint Center. But searching for data about medical identity theft is more difficult. Of these three sources, only the FTC lists medical identity thefts. The FTC claims that among all the complaints it registers (250,854 CNS identity theft complaints in 2010), medical theft amounts to only 1.3 percent (3,261 complaints).

Just to make medical theft searches more difficult, we find conflicting data. I have repeatedly read online that “Medical identity theft accounts for 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005, according to the Federal Trade Commission.” When I searched for the source of this information, I found a November 2007 FTC report (page 21) that states “Three percent of victims said that the thief had obtained medical treatment, services, or supplies using their personal information.” However, a footnote adds: “Based on the responses of the 559 individuals surveyed who indicated that their personal information had been misused between 2001 and the date they were interviewed.”

Looking at specific surveys covering the United States, I have found some strange figures, such as 86,168 victims in 2001 and 255,565 victims in 2005. For example, the Redspin blog, states “Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.”

The problem is that these figures are from the FTC and cover the whole identity theft phenomenon, not solely medical theft.

The only acceptable figures I found on this subject are from the Second Annual Survey on Medical Identity Theft by the Ponemon institute:

Even if this table covers all medical identity theft categories (both online and offline), the figures seem high compared with the 8.1 million American identity fraud victims cited by Javelin Strategy & Research for 2010 or the 7 percent rate claimed elsewhere.

Next week, I will continue this blog by discussing a claim that medical record data is worth US$50 on the black market.