A New Medical Worry: Identity Thieves Find Ways To Target Hospital Patients | WSJ | 2.22.05
A sudden tear in his aorta required Robert Parker to undergo emergency open-chest surgery. As he recovered in the intensive-care unit of a California hospital, a Nevada criminal began seeking credit using Mr. Parker’s name and Social Security number. That information was at the front of his medical file, which was visible to hospital personnel. …
Just this weekend, the University of Chicago Hospitals reported that a former employee had stolen identity information from as many as 85 patients. In recent years, rings of thieves stole the identities of more than 15 such patients in Iowa, 30 in Minnesota and nearly 50 in Indiana. During the past two years, the state of Michigan has prosecuted more than 20 cases involving medical-patient identity theft, many involving multiple victims, Michigan Attorney General Mike Cox says. …
Hospital patients are vulnerable in part because they are unlikely to detect anything amiss. Some may never leave the hospital. A team of alleged identity thieves arrested in 2003 in New Jersey were targeting the terminally ill, according to police.
The biggest vulnerability of hospital patients is that their Social Security numbers often double as a medical identifier. For identity thieves, “Social Security numbers are the key to the golden kingdom,” says Mari Frank, a California attorney specializing in identity theft. …
I had the very same thing happen (as a patient) three years ago—had my social security number (SSN) listed in two places on the demographic record (one as a thinly disguised insurance policy number). Within months several credit applications made, one large purchase, and several attempts occurred. The hospital could not be convinced they were the source until their employee was arrested with the very demographic record I knew was the source. Now one of my sons was in the same hospital last week (never having been a patient there before; therefore, a completely new record had to be created)—there again my SSN appeared on the very same demographic record with a new insurance policy and no attempt to disguise the SSN as the policy number. Fortunately, he didn’t know his SSN.
Civil Code Sections 1798.85-1798.86 and 1786.60
The law, which took effect beginning July 1, 2002, and must be fully effective no later than July 1, 2005, applies to individuals and non-governmental entities. Under the law’s provisions, companies may not do any of the following:
- Post or publicly display SSNs,
- Print SSNs on identification cards or badges,
- Require people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted,
- Require people to log onto a web site using an SSN without a password, or
- Print SSNs on anything mailed to a customer unless required by law or the document is a form or application.
The law has a phased-in compliance schedule:
- All subject entities except financial institutions and those involved in providing or administering health care or insurance:
- 7/1/02: must comply with all requirements for new accounts. May continue former practices on existing accounts, but must comply with requirements within 30 days upon written request from customer.
- Financial institutions:
- 9/28/02: must comply with all requirements for new accounts, except ban on mailing certain documents with SSNs. May continue former practices on existing accounts, but must comply with requirements within 30 days upon written request from customer.
- 7/1/03: must comply with all requirements for new accounts.
- Entities providing or administering health care or insurance:
- 1/1/03: must comply with all requirements except ban on putting SSNs on identification cards, for individual policyholders.
- 1/1/04: must comply with all requirements, including identification card requirement, for new individual and group policyholders.
- 7/1/05: must comply with all requirements for all individual and group policyholders in existence prior to 1/1/04.
Also see here.
