The crime of identity theft existed long before the information age and electronic records. Forgery is an old example of using another person’s identity to commit a crime, usually financial fraud. As the Internet and electronic records have grown in use and popularity, more and more people store important identity and financial information on networked computers. Using networked computers provides significant improvement to the ease and efficiency of using and providing financial services. Today, almost all financial services may be performed online at any time, day or night. However, the increased online handling of financial information has also resulted in a significant increase in identity theft. Lafferty (2007) explains, “that financial identity theft is on the rise and ranks as one of the top consumer fraud complaints in the nation according to the FTC” (p. 12). The same efficiency benefits that allow consumers and financial services providers to increase their productivity also apply to identity thieves, who can steal thousands of identities at a time instead of tens.
In 2004, President Bush issued an executive order mandating the implementation of nationwide electronic health records (p. 15). Just as traditional identity theft existed prior to electronic financial records and just as having financial data online increases the impact of risks associated with identity theft, the implementation of electronic health records brings increased risks of medical identity theft. Lafferty describes medical identity theft as, “both an information (i.e., identity theft) and health care (i.e., fraud and abuse) crime that results in financial, medical, and other harms to its victims” (p. 13).
Both identity theft and medical identity theft have significant negative impacts for the victims. Since the victim’s identity has been stolen, the process of establishing that the victim did not actually complete the financial transactions is lengthy and difficult. Holtfreter and Holtfreter (2006) present a case study of an identity theft victim that required, “close to a year and thousands of dollars to cover her losses and restore her excellent credit history” (p. 57). The victims of medical identity theft face similar financial challenges. In addition, medical identity theft can also have potentially life-threatening results. Imagine a case where a criminal commits medical identity theft that results in a victim’s record showing a diagnosis of diabetes. In an emergency, medical workers utilizing those records might administer insulin, which can be fatal to non-diabetics. As Lafferty states,
Without doubt the most significant harm that results from medical identity theft is when health care providers unknowingly base their medical decisions in treating a victim on inaccurate information from the thief’s medical history. The harm caused by false entries in a victim’s medical history is compounded because the entries are shared with a multitude of other health care providers, creating a significant risk of future harm (p. 13).
In addition, medical identity theft results in similar financial harms to victims as traditional identity theft, with insurance limits charged to their maximums.
As with identity theft, insiders most often perpetrate medical identity theft, with access to the records. Criminal penalties exist for both identity theft and medical identity theft. The Fair and Accurate Credit Transactions Act of 2003 and the Identity Theft Penalty Act of 2004 provide penalties for identity theft and aggravated identity theft respectively (Holtfreter and Holtfreter, 2006). These laws and regulations relating to identity theft also pertain to medical identity theft. In addition the Health Insurance Portability and Accountability Act provides penalties for those who commit crimes that violate the privacy of medical records (Lafferty, 2007). The Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, “was introduced [in 2007] with the intent of “empowering consumers and giving them a say in how companies buy, sell, and market their private data, while entitling them to effective security protections,” including a patient’s bill of rights (Lafferty, p. 18).
Identity theft and medical identity theft are insidious crimes that are growing in frequency and result in lasting financial, reputational, and medical consequences. Businesses that process, transmit, or in any way handle financial and medical identity information must take steps to ensure that the risks associated with these data types are mitigated. For businesses to succeed at these daunting efforts, the National Institute of Standards and Technology recommends implementing an enterprise risk management framework to ensure, “a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI” (Scholl, Stine, Hash, Bowen, Johnson, Smith, and Steinberg, 2008).
Holtfreter, R. E., & Holtfreter, K. (2006). Gauging the effectiveness of US identity theft legislation. Journal of Financial Crime, 13(1), 56. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=994688151&Fmt=7&clientId=62763&RQT=309&VName=PQD
Lafferty, L. “. T. “. (2007). Medical identity theft: The future threat of health care fraud is now. Journal of Health Care Compliance, 9(1), 11-20. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=23843738&site=ehost-live&scope=site
Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C. D., Steinberg, D. I. (2008). “NIST SP 800-66 – Revision 1 – An Introductory Resource Guide for Implementing the HIPAA Security Rule”, Computer Security Division, Information Technology Laboratory (ITL), National Institute of Standards and Technology, October 2008.