Medical Identity Theft

In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

Our partners Elizabeth Litten and William H. Maruca and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “Watch for HIPAA Pitfalls When Involving Police in ID Checks.” Full text can be found in the October 26, 2015, issue, but a synopsis is below. Marla’s article was also featured in Part B News.

Houston area OB/GYN clinic Northeast Women’s Healthcare has received attention due to a situation involving the verification of a patient’s identification by contacting law enforcement.  The clinic believed that a patient was attempting to use false identification in order to receive treatment at the facility, which prompted them to contact law enforcement. When local authorities were given the license number, it was determined that the information provided was false which led to the arrest of the individual seeking treatment.

Although the individual was alleged to have tampered with government records and has been noted as an undocumented immigrant, some questions have surfaced whether the clinic’s procedure violated HIPAA regulations by disclosing protected health information.

Some of the considerations identified in the article for providers that are concerned about possible false identification submitted by a patient data include the following from Marla’s article:

  1. “Providers appear to be under no obligation under HIPAA to report suspicious documents,” points out Maruca.
  2. “It’s not up to a doctor’s office to be a cop. You need to balance quality and safety issues versus the veneer of not wanting to treat the undocumented,” Litten says.
  3. “The controversy also is fueled by its occurrence in Texas, with not only a large demographic of immigrants but also where immigration status is a hot button issue and has garnered significant publicity.” Kline says.
  4. Kline continues by stating, “Emotions on this are high in Texas. It heightens the sexiness of the case.”

The obligations of providers to report to authorities that an individual has submitted suspected false identification to secure healthcare services can be complex and fact-specific.  Depending on the fact pattern, the matter can even become a media event.  In light of heightened sensitivities to immigration status, this issue can be expected to be a developing area of HIPAA and State law on identity theft, which may differ from HIPAA.

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

Update: President Obama signed S. 3987 as Public Law No: 111-319 [Text, PDF] on December 18, 2010.

* * *

Physicians will no longer be defined as "creditors" under the controversial "Red Flag Rules," when clarifying provisions are signed into law as expected.  The House of Representatives has unanimously passed S. 3987, the "Red Flag Program Clarification Act of 2010" which was previously approved by the Senate.  The bill now goes to President Obama for his signature.  

The brief bill redefines "creditor" to exclude service providers that advance funds on behalf of a person for expenses incidental to a service they provide to that person. The Red Flag Rule was designed to require creditors such as banks, credit card companies and other lenders, to implement various safeguards to protect their clients from identity theft.  

The original statute defined "creditor" broadly, and the FTC initially interpreted it to apply to physicians and other professionals who bill their clients for services, believing that they were obligated to do so by the statutory language. After being bombarded with complaints, FTC chairman Jon Liebowitz assured physicians that his agency was pushing Congress to work quickly to fix the Red Flag Rule that he said had "unintentionally swept up countless small businesses – including every doctor, dentist, lawyer, gardener, plumber, and housekeeper who bill customers on a monthly basis."

The effective date of the Red Flag rules has been postponed several times, most recently in June, and will take effect for other creditors on January 1, 2011.  The American Bar Association and other professional societies had sued the FTC earlier this year and the federal agency had agreed to delay enforcement for attorneys, physicians and accountants until the appeal of that ruling was heard – it remains pending but will be rendered moot by this legislation 


More breathing room for physicians under the Red Flag rule: Following the blanket compliance extension through December 31, 2010, the FTC has announced that it had reached a joint legal stipulation with the AMA, the American Osteopathic Association and the Medical Society of DC stating that it would not pursue enforcement of the rule against physicians pending the results of an appeal of a decision striking down the application of the rule to law firms. 


In an article posted by Modern Healthcare (registration required), it was reported that on June 25, the FTC agreed to a stipulation with the three medical societies who brought suit to block the agency from applying the rule to medical practices. The American Bar Association’s motion for summary judgment for declaratory and injunctive relief from the Rule’s application to lawyers was granted. The FTC has appealed this decision, and has agreed to postpone enforcing the rule against physicians until the appeal is decided. If Congress does not act to modify the rule before January 1, 2011, this stipulation will continue to exempt physicians from compliance until the conclusion of the appeal process. 


In a June 14 speech before the AMA’s House of Delegates (entitled A Doctor and a Lawyer Walk into a Bar: Moving Beyond Stereotypes), FTC chairman Jon Liebowitz defended his agency’s reputation and emphasized the pro-physician efforts it has undertaken: 


Fastidious bureaucrats aren’t pushing Congress to work quickly to fix the Red Flags Rule that has unintentionally swept up countless small businesses – including every doctor, dentist, lawyer, gardener, plumber, and housekeeper who bill customers on a monthly basis – the FTC is.  


Let me assure you, we feel your pain on red flags, and we want to fix it. We agree with you that the red flags rule reaches too far. We have delayed enforcement of the rule to give Congress an opportunity to legislate a solution. As to doctors, I am pleased to announce that the FTC, as part of a stipulation with the AMA, will not enforce the rule against any AMA or state medical society members until the court of appeals resolves the issue. And we call on Congress to do that sooner rather than later; the financial reform legislation moving right now is a perfect opportunity. 


The stipulation text has not been released, so it is not clear whether this enforcement moratorium applies to all physicians or only those who belong to the societies who brought the suit.

On May 28, 2010, William H. Maruca, editor of this blog, reported in a post entitled Red Flag Reprieve – Déjà vu All Over Again that, under pressure from Congress, the Federal Trade Commission (“FTC”) had agreed to postpone enforcement of its “Red Flags Rule” until January 1, 2011.  


On June 1, 2010, an article in The National Law Journal  discussed the  postponement insofar as enforcement of the Red Flags Rule by the FTC against doctors, lawyers, and other professionals would require them to develop written identity theft prevention programs.  The article further noted that the postponement followed separate lawsuits by the American Bar Association and the American Medical Association and other physician associations on behalf of their respective professionals against the FTC, arguing that imposing the identity theft rule requirements on their members is arbitrary, capricious and has no legally supportable basis.  The article quoted FTC Chairman Jon Leibowitz as stating that Congress needs to clarify and fix problems in the application of the Red Flags Rule quickly to permit the FTC to carry out its enforcement obligations.


“Financial Institutions” and “creditors” with “covered accounts” are governed by the Red Flags Rule.  Therefore, a physician, other healthcare provider or lawyer could be subject to the Red Flags Rule if any activities meet the definition of a creditor with a covered account.  This broad definition essentially includes anyone who bills after providing services or allows patients or clients to defer payment.  One could be deemed a creditor simply because it allows a patient or client to defer payment for medical or legal services rendered. 


The “final” Red Flags Rule was promulgated by the FTC as long ago as November 9, 2007 under the Fair and Accurate Credit Transaction Act of 2003.  The original compliance date for the Red Flags Rule was November 1, 2008.  However, because many healthcare providers and professionals were unaware of or uncertain as to whether the requirements of the Red Flags Rule applied to them, the FTC delayed the initial enforcement date to May 1, 2009.


Discussions and correspondence between the healthcare sector and the FTC to clarify whether health care providers, such as physicians and other providers such as hospitals, must comply with the Red Flags Rule followed.  As a result of those discussions and the subsequent lawsuits discussed above, the FTC suspended enforcement of the Red Flag Rule multiple times, with the most recent enforcement deadline date being postponed to January 1, 2011.


Significant changes with respect to the application of the Red Flags Rule may be on the horizon for the healthcare industry.  It is not clear that Congress will act or, if it does, that the legislation will clearly define the applicability of the Red Flags Rule to a specific type of healthcare provider. Providers should keep apprised of developments that may affect them.


 The oft-delayed implementation deadline for the FTC’s Red Flag identity theft protection rules has been put off for a fifth time, through December 31, 2010. The last extension would have kicked in on June 1, 2010. The FTC cited ongoing legislative efforts to clarify the application of the law to certain entities, particularly H.R. 3763 which has passed the House and is awaiting Senate action. The bill would exempt a health care practice with 20 or fewer employees; an accounting practice with 20 or fewer employees; a legal practice with 20 or fewer employees; or any other business, if the FTC determines, following an application for exclusion by such business, that such business—(i) knows all of its customers or clients individually; (ii) only performs services in or around the residences of its customers; or (iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.


Coincidentally or not, on May 21 the American Medical Association (AMA), American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC) filed a suit in federal court seeking to prevent the FTC from extending identity theft regulations to physicians.


The Red Flag rules were added to the Fair Credit Reporting Act and were ostensibly designed to require “creditors,” such as banks and credit card issuers, to implement policies to identify and prevent misuse of financial and personal information. The term “creditor” was defined broadly to include many professional practices who accept deferred payments, and the AMA and other professional societies contend that the FTC’s interpretation exceeds its legal authority.

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule.  On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate. 

What does all the foregoing mean for the health care industry?  For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.  

    Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009.  The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.  Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement.  If the ABA were to go down that route, others could follow suit (excuse the pun). 

     So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . .  but should they?

     In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers’ compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care.  In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this. 

     The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider — and, thus, should be manageable, both from an administrative and financial standpoint.   On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized.  The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem. 

     To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

This morning, the Federal Trade Commission (FTC) announced it will delay (again) enforcement of the new “Red Flags Rule,” now until August 1, 2009 to give affected entities more time to comply. In the press release, FTC Chairman Jon Leibowitz said:

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC release points out that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

The news Release states that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC will be releasing templates to help them comply with the law. The FTC also already has a number of materials posted to help explain what types of entities are covered by the FTC Red Flag Rules and to provide guidance. See: and