Medical Identity Theft Prevalence
Unfortunately, we were unable to compile a comprehensive list of the types of locations in which medical identity theft occurs using publicly available information sources. We found that medical identity theft is in decline in the United States. We found an older study (from 2012) that indicates that 35 percent of medical identity thefts were due to a relative and that 22 percent were due to fraudulent billing by a healthcare provider. We were able to study one list containing case studies of 436 large-scale medical identity breaches. This list may allow us to make some inferences about the general locations of identity thefts, but it falls shy of giving us enough information to make high-confidence assumptions about the overall risks and patterns.
We began by using industry sources to resolve a picture of the industry definitions and terms related to medical identity theft, medical fraud, and HIPAA violations. This gave us a solid grounding to sort through research and ensure that we stayed on track across multiple research strategies.
For our first research strategy, we dove into the reports of reputable consultancy agencies like Deloitte and Accenture. In our experience, these firm tend to offer granular, well-founded reports on the risks and vulnerabilities of various industries, however, in this case, we did not find any useful breakdowns of medical identity theft.
Next, we turned to government sources. Because healthcare is a highly regulated industry, sources like ftc.gov and hhs.gov have often proven useful in studying healthcare-related issues. Unfortunately, we did not find enough information related to medical identity theft to resolve a picture of the locations in which that theft takes place.
At this point, we expanded the scope of our research to medical industry press sources like Health Care IT News, Beckers Hospital Review, and Get Referral MD. Still, we did not find the information needed to answer this request.
Finally, we tried searching both high-level market research sources like ConsumerReports.org, Experian, and Statista as well as academic and industry case study sources like HBR, Brookings, Academia, and Researchgate. These sources led to a few insights but did not give us enough information to fully answer this request nor make high-confidence estimations of the requested data.
HELPFUL FINDINGS: PREVALENCE
Around 2.3 million Americans fell victim to medical identity theft in 2014. By 2018, the number of annual victims dropped to 1.8 million. Despite the fact that this latter number comes from an article decrying the rise of medical identity theft, the totals imply that the number of cases is falling over time.
HELPFUL FINDINGS: 2012 STUDY
As a matter of course, we prefer not to rely on sources that were published more than 24 months before the time of research, but we did find a study from 2012 that covers some matters related to this research request.
The study found that 35 percent of medical identity theft cases reported in the US were caused by relatives of the victim while 22 percent were the result of fraudulent billing by the healthcare provider. The study found that 7 percent of medical identity thefts were due to the malicious action of an individual employee of the medical provider. Data breaches and the theft of paper medical or billing statements caused 6 percent of medical identity thefts and another 6 percent were caused because the victim lost his or her wallet or purse.
It could be inferred that if 22 percent of medical identity thefts were caused by fraudulent billing and 7 percent by care provider employees, this means that only 29 percent of medical identity theft cases can be meaningfully linked to healthcare providers of any type (e.g. hospitals, provider offices, physician groups, laboratories, medical imaging facilities, free-standing ERs, or pharmacies.)
HELPFUL FINDINGS: 436 CASE STUDIES OF LARGE SCALE MEDICAL IDENTITY BREACHES
The US Department of Health and Human Services, Office of Civil Rights compiled a list of 436 breaches of unsecured protected health information affecting 500 or more individuals. The study covered two years.
Out of the 436 breaches, only 54 cases (12.36 percent) were labeled "thefts." Of those 54 cases, 46 cases (10.55 percent of the whole) were tied to a medical care provider location.
Going by keywords, four of the provider locations tied to large scale medical identity thefts marked out in this report had the word "university" attached to their names. Another four providers were called "medical centers." While three were called "hospitals," three were referred to as "health systems," two as "health care services." Of the remainder, two used the word "dental," one used the word "wellness," one was called a "surgery center," one a "pharmacy," and one contained the word "imaging."
While a few inferences might be made from the prevalence of certain keywords on this list of high-victim-count medical identity thefts over a 2-year period, we did not feel confident presenting these findings as an answer to this request.
Out of 436 breaches, only 54 cases were labeled "thefts."
This is calculated as 54/436 = ~.1236 or 12.36 percent.
Out of 436 breaches, only 46 cases were both labeled "thefts" and tired to a care provider location.
This is calculated as 54/436 = ~.1044 or 10.55 percent.
Regrettably, no comprehensive view of the locations in which medical identity theft occurs could be assembled from publicly available sources. We can say that medical identity thefts have been in decline and that less than a third of cases are tied to medical care provider locations, rather than the result of relatives or other factors. Some indication of the locations may be inferred from a list of large-scale breaches, but this is not enough to answer the request in detail.