The Ponemon Institute’s recent publication of its fourth annual 2013 Survey on Medical Identity Theft (Survey) confirmed what many in the healthcare industry already knew: identity theft is a serious and often overlooked problem, and its continued expansion is significantly eroding patients’ trust in their healthcare providers. According to the Survey, the estimated number of medical identity theft victims grew from 1.5 to 1.8 million from 2012 to 2013 and, perhaps more importantly, more than half of those surveyed said that the most likely consequence of medical identity theft is the loss of trust and confidence in their healthcare provider. These Survey results could indicate an important shift in public perception regarding identity theft — as government efforts to deter identity theft through criminal prosecutions and legislation continue to fall short, providers may be expected by both the public and the government to take on more responsibility for identity theft prevention and deterrence.

We previously reported on proposed legislation aimed specifically at curbing medical identity theft, including legislation that would end the use of social security numbers as Medicare beneficiary numbers. This effort, along with similar legislation, failed to make it through Congress. However, over the years, legislation has been passed in an effort to deter identity theft through criminal prosecutions. In 1998, President Clinton signed into law the Identity Theft Assumption Deterrence Act, which criminalized identity theft at the federal level under 18 U.S.C. § 1028. Since it became effective, an average of approximately 1,500 defendants have been charged each year with federal identity theft. Recognizing that individuals typically commit identity theft with a purpose, such as to commit healthcare fraud, President Bush signed into law the Identity Theft and Penalty Enhancement Act of 2004, which included the aggravated identity theft statute, found in 18 U.S.C. § 1028A. If identity theft is committed in connection with a fraud offense, the statute carries a two-year mandatory prison sentence that must run consecutive to any sentence imposed for the underlying fraud, making the statute one of a handful in the federal criminal code that requires a mandatory, consecutive sentence. As such, the statute has been popular among federal prosecutors and its use has increased, often by hundreds of defendants each year since 2004.

Despite the number of prosecutions, the Survey indicates that identity theft continues to grow and that providers may be shouldering much of the blame from both government regulators and patients alike. Under the expanded provisions of the HIPAA Omnibus Final Rule, government regulators are holding providers accountable for incidents in which patient information is stolen and used to commit identity theft, regardless of whether the perpetrator is brought to justice or not. Additionally, victims of identity theft are increasingly resorting to class action litigation in an attempt to recover damages incurred as a result of the theft. These activities corroborate the results found in the Survey regarding patients’ lack of trust and confidence in their healthcare providers.

In sum, the Survey underscores the importance of information security compliance efforts, not only as a method of preventing medical identity theft and accompanying litigation or enforcement activities, but also as a means of reestablishing patients’ trust and confidence in their healthcare providers.