Christine Carpenter was surprised, to say the least, when she received a bill from Jewish Hospital – Mercy Health in July for treatment of a heroin overdose.

The 37-year-old Reading resident owes nearly $700 in out-of-pocket for the May 26 visit, and her insurance company has already footed more than $3,000 of the bill.

But Carpenter hasn’t set foot inside the Kenwood hospital in at least five years, and to top it off, she has never used heroin, she said.

The explanation: Carpenter’s estranged sister stole her identity, police said.

Amber Allen, 26, checked into the hospital with Carpenter’s maiden name and provided a fake Social Security number, according Reading Police Department records. After her treatment, she left without bearing its cost and without question from the hospital. Allen now faces charges of identity theft and insurance fraud.

“I’m very angry. I want answers. I have contacted this hospital several times, and they can’t provide me with any answers as to how they’re going to fix this. I mean, how did this happen?” Carpenter said Monday. Hospital officials said they opened an investigation into Carpenter’s case on Wednesday.

She joins millions of Americans who have fallen victim to medical identity theft — stuck with hospital bills they can’t pay for and another person’s medical records folded into their own.

Adding salt to the wound, victims carry the difficult burden of proving they are who they claim to be, and often struggle to access their own records because of unintended consequences of patient privacy laws meant to protect them.

‘It’s like an unlimited credit card with no security protection’

The health care industry is experiencing a surge in data breaches, security incidents and criminal attacks, according to a May study by Ponemon Institute , a research organization devoted to privacy and security. Another study by the institute, released in January, found that more than 2.3 million Americans had their medical identities stolen during or before 2014. That’s almost 500,000 more victims than in 2013.

Rick Kam, president of ID Experts, which co-sponsored the Ponemon Institute studies, said it’s because criminals are less inclined to target the financial industry, now that banks are getting better at preventing and resolving credit card fraud.

“The criminals are migrating now to your health insurance numbers and your health information. It’s like an unlimited credit card with no security protection,” he said.

People aren’t trained to monitor their medical and insurance information like they would a credit card statement, said Ann Patterson, program director at the Medical Identity Fraud Alliance, a group that tackles identity fraud from the business side.

“Oftentimes, you won’t know you’re being victimized until years later — certainly not until you’ve received some sort of notice,” Patterson said. “By that time, the criminal could be long gone, which makes it harder for law enforcement to prosecute and track down what happened. Criminals know that, which is why they target medical identities.”

Kam said the victims who are most vulnerable to medical identity theft are people who are too young to understand a medical record and senior citizens.

Hospitals Don’t Require Identification

Jewish Hospital – Mercy Health doesn’t require patients to show identification in order to receive treatment.

That’s likely why Carpenter’s identity was stolen without raising any red flags. Hospital officials haven’t commented on the specifics of Carpenter’s case, but they opened an investigation Wednesday and suspended Carpenter’s bills after WCPO asked questions about her situation.

“We don’t refuse to treat anyone. We will ask all patients for their identification, but if they don’t have it on them, the first priority is to treat them and ensure their well-being,” said Nanette Bentley, spokeswoman for Mercy Health Cincinnati.

That’s the same policy most hospitals have across the country — and the reason why it’s so easy for someone to take advantage of a person’s medical identity, experts said.

“Doctors and nurses aren’t concerned about the administrative end so much as they are about saving a life — a life of the real person or an identity thief. To them, a life is a life,” Patterson said.

The federal Emergency Medical Treatment and Labor Act, passed in 1986, requires hospitals to stabilize and treat anyone who comes to an emergency room, regardless of their ability to pay.

“The unintended consequence of that, though, was that people who don’t have insurance learned to just walk into the emergency room, which is where the most expensive medical care is applied, and got medical treatment for free,” Kam said.

Patterson said some large hospitals are now adding identity protection measures when a new patient comes through their door. They’ll do iris scans and other biometric tests that can’t be duplicated. But she said it’ll take more than that to change a national culture of lack-of-attention to important medical records.

“We’ve been taught and (it’s been) drilled into us, ‘Don’t give out your financial information,’ but consumers haven’t been trained — and it’s not engrained in our society — to not share sensitive health information,” said Patterson.

Unlike the financial documents people are taught to shred, Patterson said our society doesn’t think twice about the medical information we throw away, including prescription bottles and the tags usually stapled to the outside of the bags that hold prescription drugs.

Medical Identity Theft More Costly Than Bills

Carpenter is more concerned about getting her sister’s medical information off of her records than she is about being stuck with her bills.

“I don’t want a heroin overdose on my medical records,” Carpenter said. “You know, that could affect me possibly if I were to go get a job somewhere else.”

Medical fraud experts say the impact of having your medical information tangled into someone else’s can come down to life or death.

Kam said if the wrong medication or diagnosis is listed on a patient’s record, they could experience severe allergic reactions or worse.

Most Victims Know The Thief

It’s not unusual that it’s Carpenter’s sister who’s accused of stealing her identity. Medical identity theft has historically been a friends-and-family crime, experts said.

Out of the 1,005 surveyed people included in the Ponemon Institute’s January study, half of the victims said they knew the person who used their medical information.

“Even with standard identity theft, you have someone who is close to the victim or has access to the victim,” said Rob Warfel, an Cincinnati FBI supervisor who handles identity theft cases at the federal level. “That’s more common, more prevalent, because it’s the people that have the direct access. It’s a crime of opportunity.”

But Kam said the fraud surge in the health care industry comes from organized crime networks and, in some cases, other countries such as Russia, China and North Korea.

“They are collecting these medical records because they can use it on a case to commit a tremendous amount of medical fraud against the U.S.,” Kam said.

Warfel said thieves still use old-fashioned methods to steal medical identities, such as dumpster diving, stealing mail or social engineering.

“Further, there is often an internal risk when temporary employees or medical center (and) facility employees have access to patient personally identifiable information. There is an ever-increasing threat of breaches through hacking and databases targeted for patient information,” he said.

Why It’s So Hard To Resolve

Ninety-percent of the victims surveyed in the Ponemon Institute study did not get their identity-theft issues resolved.

“This is where the health care provider, the payer, everyone in the system as well as the patients need to become more aware of this problem and take action,” Kam said.

“There are processes in place that are well-established within the financial services industry. In health care, we don’t have that yet. Everything is case-by-case,” said Patterson. “I think one of the reasons is that this whole realm of electronic protected health information is fairly new.”

Patterson is talking about the industry-wide transition from paper-based medical records to electronic medical records. The federal government offered the health care industry $30 billion in incentives to make the move.

But Kam said the electronic systems could create some problems for victims who want to untangle their medical records with the person who stole their identity.

“We really don’t know how far our medical records are dispersed once they enter the system. You walk into an emergency room and that info is transmitted within the hospital system,…but from there it goes from health information exchanges and propagates all over the country,” Kam said.

“Your information may be in dozens, in sometimes hundreds of databases all over the country, and you don’t even know it,” he said. “If you don’t know where it’s been dispersed to, how do you know it’s been removed?”

Experts said some smaller hospitals and doctors’ offices don’t have resources set aside to help victims of fraud.

“At a small hospital and a small clinic, you’re at a disadvantage because they are probably not as aware of the situation and may be less sympathetic to the person trying to convince them that they’ve got a problem,” said Kam.

At Jewish Hospital-Mercy Health, where Carpenters’ identity was compromised, hospital officials said they “red flag” a patient’s account as soon as he or she informs them of the identity theft. That leads to an investigation, where the hospital suspends outstanding bills and asks for a copy for the police report. Bentley said they arrange for the patient to meet with a clinician, go through the patient’s medical record together and correct errors in the record.

Privacy laws — such as the federal Health Insurance Portability and Accountability Act, or HIPPA, meant to protect the privacy of the patient — are working against people who are victim to these types of crimes.

“I feel violated. I feel like hospitals are under this big HIPPA thing for patient privacy, but I feel like my privacy has been violated, and that’s not right,” Carpenter said.

Once a victim tells the hospital they’re not the person who received medical services, they’re sometimes blocked from accessing their own records.

“HIPPA laws in the past said, ‘I can’t talk to you.’ That’s been drilled into the staff at hospitals and clinics for years, and so unfortunately, it has a carryover. People are still trying to understand, ‘What do I do if somebody says they are not who they say they are, and they say that somebody is using their identity?’ There needs to be training and awareness on that,” Kam said.

That happened to Carpenter, she said, when she first tried to explain the medical identity theft to hospital staff.

“She refused to give me any more information because she said I was not the patient and she couldn’t provide me information,” she said. “I feel like I’m on a merry-go-round, and there’s no end to it.”

What To Do If Your Medical Identity Is Stolen

Medical fraud experts recommend regularly checking the explanation of benefits form sent by your health insurance provider.

“If you see treatments you’ve never received or anomalies, contact your provider. Request an annual listing of benefits paid out, similar to a credit report for your medical history,” said Warfel.

Identity-theft experts and law enforcement officials also recommend taking the following steps:

  • File a report with law enforcement. This will help with claims, affidavits and documentation you will need to correct the fraudulent use of your identity.
  • Send copies of the report to your insurance company and all three credit bureaus: Experian, Equifax and TransUnion.
  • File a medical identity theft complaint with the Federal Trade Commission or call the FTC’s toll-free hotline at 1-877-438-4338

Click here to access the article online.

August 13, 2015 by Taylor Mirfendereski, ABC WCPO9 Cincinnati