Health IT office awards contract to fight medical identity theft

National coordinator for health IT asks Booz Allen to analyze prevalence of medical records theft and how to prevent and detect it.

The federal office overseeing the development of a national system of electronic medical records awarded a $450,000 contract on Wednesday to Booz Allen Hamilton to evaluate the scope of medical identity theft in the United States.

Comment on this article in The Forum."The prevention and detection of medical identify theft along with actions to address problems that may occur as a result of medical identity theft are necessary steps to build consumer trust in electronic health information exchange," said Robert Kolodner, national coordinator for health information technology at the Health and Human Services Department.

Officials with the national coordinator's office, which is spearheading the effort to provide most Americans with electronic health records by 2014, said Booz Allen will examine how information technology can be used to detect and prevent medical identity theft.

Medical identity theft is the act of stealing patients' electronic health records with the intent of committing crimes, such as blackmailing individuals who have been diagnosed as being HIV-positive or using the stolen medical records to set up fake medical clinics to file false claims. Last year, five people pleaded guilty to operating such a clinic to defraud Medicare.

The problem is widespread, according to the World Privacy Forum, which has studied the issue. Between 250,000 and 1 million Americans annually have their medical identities stolen, with potentially deadly consequences, according to the group's 2006 report. In one example cited, a Florida woman found that "an imposter had caused false entries [to be recorded] on her file, including changes to her blood type."

Last month Finjan Software Inc. reported that its Malicious Code Research Center discovered sensitive health information on U.S. patients stored on a Malaysian computer server, which was controlled by cyber criminals. Pam Dixon, executive director of the World Privacy Forum, said the Finjan report was an indication that medical identity theft has been adopted by "some nasty overseas crime rings," which elevated the consequences of medical identity theft to more dangerous levels.

She said the crime rings could hold the stolen medical identities for a year or two and then set up a fake clinic in the United States to start billing for procedures that run from $1,000 to $250,000 each for multiple patients.

Booz Allen, in the first phase of work on the contract, will assess the scope of medical identity theft, the result of which will serve as the baseline for developing prevention, detection and remediation strategies, according to the Office of the National Coordinator for Health Information Technology.

A one-day town hall meeting will be held in October in the Washington area, for the second phase of the project, and will be open to the public. The third phase will feature a final report and roadmap, summarizing key issues and possible next steps.

Dixon said she is heartened that Kolodner has decided to focus on medical identity theft, but she viewed the contract as late in the process to develop a national electronic health record system. She previously said as much when she testified in 2005 to Congress about medical identity theft one year after President Bush kicked off the national electronic health record project.

In addition, Dixon said electronic health records make it easier to steal medical identities and deterrents need to be built into the architecture of the National Health Information Network championed by Kolodner's office. The office also should develop ways to aid victims of medical identity theft, she said.