Please note that this website will be undergoing maintenance on 9/5/2010, between 12:00 AM and 3:00 AM EDT. The site may be unavailable during this time.

Medical Identity Theft Case Pursued in Florida

According to reports that appeared in a number of Florida print and broadcast outlets (September 8-10), U.S. Attorney R. Alexander Acosta in Miami announced on Friday, September 8, the indictment of a Naples man and his cousin who worked at the Cleveland Clinic in Weston, Florida, for stealing the personal information of more than 1,100 patients from the former Cleveland Clinic in Naples. 

Fernando Ferrer Jr., 29, of Naples, registered as one of the owners of Advanced Medical Claims Inc. in Naples, and Isis Machado, 22, of Miami Lakes, were indicted on charges they stole patient information for fraudulent purposes. 

According to the indictment and reports (September 9) by the Miami Herald and the Naples Daily news, the theft occurred as follows: 

  • Machado worked as a front desk coordinator at the Weston campus from May 23, 2005, to June 26, 2006, where she authorized access to the Weston Cleveland Clinic's computers, which were integrated with the computers at the former Cleveland Clinic in Naples. 
  • Ferrer told Machado that she had an "opportunity" to sell the personal identification of patients and he would pay her for the information. 
  • Machado downloaded the computerized files and printed the information of more than 1,100 Naples patients, including their names, home addresses, dates of birth, Social Security numbers, and Medicare numbers. 
  • Machado sold the data to Ferrer, who used the stolen information in connection with the submission of approximately $2.8 million in false claims to Medicare. 

Machado and Ferrer were charged with conspiracy to commit computer fraud, conspiracy to commit identity theft, conspiracy to wrongfully disclose patients’ healthcare information (violations of the Health Insurance Portability and Accountability Act – HIPPA), and aggravated identity theft. 

According to the Miami Herald, the first three charges could lead to 10 years in prison and a $250,000 fine, but the toughest penalties could come from 5 counts of aggravated identity theft – each of which mandates a two-year sentence, in addition to the other charges. 

For more information regarding the penalties for aggravated identity theft see Chapter 47 of title 18, United States Code, section 1028A. 

The Response: 

A spokesperson for Cleveland Clinic (at its parent in Ohio) said that it sent letters on September 8th to the potentially affected Naples patients alerting them to the theft and providing them with resources to help protect their demographic and financial information from risk, as reported by various news organizations. 

A toll-free number — 1-866-907-0675 — was established for patients. 

The spokesperson said another employee noticed Machado was inappropriately accessing patient information back in June, reported The Naples Daily News. 

"Cleveland Clinic Florida promptly notified state and federal authorities of this problem and over the past two months, federal law enforcement officials have conducted an intensive and confidential investigation of this matter. The Cleveland Clinic Florida has cooperated fully in this investigation and is also conducting an internal risk assessment to prevent such an event from happening again. Cleveland Clinic deeply regrets this incident as patients and visitors place their trust in our employees and staff… We believe it was an isolated incident. This was one employee's action. There were not any other people involved." 

The article went on to say that according to the Vice President of Financial Relations of Naples-based Health Management Associates, HMA purchased the 83-bed hospital and outpatient medical center in Naples in May, 2006, and a new computer system was installed. The hospital was renamed Physicians Regional Medical Center. 

"We put our own system in place," he said. "There was no access to the HMA system." 

The Naples Daily News reported that chief executive officer of Physicians Regional said the theft involved only the data of the Cleveland Clinic, not Physicians Regional. 

As per the Naples Daily News, Physicians Regional issued a statement that said in part: 

"At this time, we would like to assure our patients that protecting their privacy is of our highest concern, and this incident did not in any way compromise the current systems in place for Physicians Regional Medical Center and the physician practice, Medical Surgical Specialists." 

Our Question: 

How can an employee performing front desk coordination duties gain access to something as precious as computerized patient files including names, home addresses, dates of birth, Social Security numbers, and Medicare numbers? 

Our Observations: 

Medical identity theft is the newest frontier in the ever-evolving crime of identity theft. It is particularly heinous in that it attacks individuals at their most vulnerable moments. Moreover, if another individual uses patient information to seek medical treatment, the results can be horrific: what if the “fake” patient has blood type AB and the “real” patient blood type O? A transfusion based on the computerized medical file could lead to the “real” patient’s death. 

We applaud U.S. Attorney Acosta. He is dead right in his assertion, quoted by the Sun-Sentinel (September 8), that “Medical files have some of our most private information. Each of us rightly trusts that our health-care providers will keep them confidential.” 

This case represents a cautionary tale - best summarized by the first sentence of the Sun-Sentinel article: “Combining an "unwholesome criminal trilogy" of identity theft, medical privacy violations and health-care fraud…” 

According to the Miami Herald, while state and federal authorities have made a number of arrests that involve clinics and medical supply companies, often suppliers of personal information are not known. The Cleveland Clinic case was only the third in the United States in which persons have been charged criminally for violating federal healthcare privacy laws. This goes to show how new and unregulated medical identity theft really is. 

According to a story in the New York Times (September 4), entitled “Victims Fight to Clear Their Names After Others’ Deeds,” while federal law allows patients to request their medical records and contest information, a blizzard of rules and exceptions can make righting wrongs very complicated and time consuming. 

By the time a patient actually learns of the theft, incorrect information may have been already disseminated to dozens of other sources that, in turn, relay the information to a number of others. 

In May, 2006, The World Privacy Forum published a report detailing the realities of medical identity theft, difficulties faced by victims, inadequacies of current regulatory schemes and resolution mechanisms, policy recommendations regarding the development and implementation of the coming National Heath Information Network, and a roadmap for victims who literally have no alternative but “self-help.” 

On its Web site, The WPF says that medical identity theft “isn’t just a crime against the health care system… It’s a crime that makes individuals victims in addition to the providers and insurers who may directly bear financial losses.” 

The WPF report is entitled “MEDICAL IDENTITY THEFT: The Information Crime That Can Kill You.” It says in part: 

“Medical identity theft is a crime that can cause great harm to its victims. Yet despite the profound risk it carries, it is the least studied and most poorly documented of the cluster of identity theft crimes. It is also the most difficult to fix after the fact, because victims have limited rights and recourses. 

Medical identity theft typically leaves a trail of falsified information in medical records that plague victims’ medical and financial lives for years.” 

Medical fraud costs federal and state governments billions of dollars each year. It is pure speculation as to the cost of medical identity theft in financial and human terms, as it is just now percolating into the consciousness of the public. 

The September 9 Miami Herald article quoted the Special Agent in Charge of the Miami office of the FBI that: 

“We expect healthcare employees to keep our personal information confidential and secure. Criminals who commit healthcare fraud steal from all of us as U.S. taxpayers and, in the end, make medical care more expensive for all of us.” 

Hopefully, this particular saga ends with the indictments of Ferrer and Machado. Hopefully, they didn’t sell the information to anyone else. Regardless, medical identity theft is very serious and far from over.    

©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.