Reality check: avoiding medical identity fraud

A woman in her early 30s presented to an appointment claiming to be Sarah Long. Sarah was a patient of the practice but attended infrequently. The patient said she had fallen on her wrist and it was very painful. The GP referred her for an Xray, prescribed some analgesia and scheduled a follow-up appointment. When the practice contacted Sarah to confirm the follow-up appointment, she knew nothing about the consultation and said she had not been to the practice for over six months. While this is a fictional scenario, similar cases have occurred.

Mistakes can happen. Patients can have the same name. Records can be confused. However medical identity fraud, where someone deliberately impersonates another patient, has been recognised as an issue for some time in the United States. Australia is also starting to see cases.

There could be many reasons for this deception. Understanding some of the motivations can help you and your practice team be more alert to this issue and take steps to prevent it.

Access to healthcare

An individual may be using someone else’s Medicare card or insurance information for health treatments they cannot access, cannot afford, or prefer not to pay for. 

Data from the United States suggests that lack of access to affordable healthcare may underlie cases of patient impersonation there. We have also seen patients without documentation or access to Medicare presenting to clinics in Australia.

The Australian Institute of Criminology’s regular survey on identity crime in Australia has begun reporting instances of medical identity fraud. In the 2023 bulletin on identity crime a small number of respondents said they had received a medical bill for a service they did not receive. Others discovered fraudulent claims on their health insurance when they were told they had reached their benefit limits and had their own claims rejected. 

Drug seeking behaviours

Patients with drug-seeking behaviours may be using someone else’s identity to try to gain access to drugs of addiction. Their own identity may be flagged on a real time prescription monitoring database, or they may be using multiple different identities to avoid prescribing limits. Patients may also use someone else’s identity as a way of gaining access to medications at a lower price or with a subsidy.

Avoiding health reports

An individual may use a false identity to avoid having a condition on their own health record, if the condition is reportable or could affect insurance or limit professional opportunities.

Personal reasons

An impersonator may also be seeking to get information about someone to harm them personally.

In the scenario above, the motivations of Sarah’s impostor were never clear. It was possible she was an ex-partner seeking access to confidential health information. Or she may have been posing as a known patient to try to access pain medication, as the practice had a clear policy of not prescribing drugs of dependence to patients at the first consultation.

Whatever the reasons for the theft, the fall-out for patients whose identity has been stolen can be catastrophic.

Individuals may face huge medical bills with consequences for their credit ratings and access to finance. The US media, for example, recently reported on a case where a woman was arrested after incurring over $500,000 worth of medical bills in someone else’s name. Her victim had been battling for years to dispute the bills and restore her credit rating.

Your practice may be breaching a patient’s privacy if you give out healthcare information to someone impersonating them.

For both practices and individuals, the potential safety risks are even more concerning. Victims of medical identity theft have reported experiencing misdiagnosis and treatment delays. Some report living in fear of being given the wrong blood type or counter-indicated medication due to inaccurate information in their patient record.

Some frauds may be very elaborate and hard to detect. Other reported cases involve individuals taking advantage of busy clinics or practices and insufficient identity checks. Revisiting your privacy and security processes may help avert a fraud.

Check that your processes for identifying patients are clear and ideally use three identifiers. Remind staff why it is important to confirm a patient’s identity each time they visit. For more information see the RACGP Standards for General Practices 5th edition.

Check your processes for communicating with patients electronically to make sure you are not accidentally disclosing information that could be used by an impostor. For more information see Avant’s factsheet on email communication with patients.

Make sure staff are also aware of patient privacy at the reception desk and do not inadvertently disclose identifying information where it could be read or overheard.

Patients whose identity has been stolen say it can involve years of work and anxiety to have their medical records cleared of their impostor’s information. If you become aware that a patient’s medical records have been compromised, you will usually need to take several steps:

• Copy any information relating to the impostor into a new ‘unknown patient’ record.
• This is one situation where it would be appropriate to delete, rather than striking through, the inaccurate information in the ‘real’ patient’s record. Once the imposter information has been transferred to the ‘unknown patient’ record or other location, add a note explaining what happened. For more information see Avant’s resources on correcting records
• If the real patient is unaware of the issue, notify them and keep them informed.
• Contact any other providers such as radiology, pathology or specialists and withdraw the referral.
• Cancel any prescriptions and follow the procedures for reporting prescription fraud in your state.
• If test results were ordered and require follow-up care, the ordering GP remains responsible. See Avant’s Patient follow-up and recalls factsheet. However, if the patient provided incorrect contact details, follow-up may not be possible. If this is the case, contact your MDO for further guidance.
• Contact Medicare. This may mean you might have to reverse the billing for the consultation.
• Seek advice on whether you also need to notify the Office of the Australian Information Commissioner (OAIC) and / or contact police. For further information see Avant’s resource on Responding to a data breach.

If you realise that your practice has treated someone under a false name, it’s important to assess whether a data breach has occurred. Not every instance will qualify as a breach, but if patient information has been disclosed without proper authorisation, it may be considered one. You should follow the guidelines provided by the OAIC to determine if the incident requires notification. For more detailed advice, refer to Avant’s Responding to a data breach factsheet.

Additionally, if you are considering approaching the individual who provided a false name, personal safety should be a priority. Evaluate the situation carefully and avoid direct confrontation, particularly if there are concerns about the person’s behaviour or motives. Always follow your practice’s protocols for managing difficult situations which may involve calling security or police.

After the incident, take time to review your practice’s policies and procedures to identify any gaps or areas for improvement. Reflecting on the situation can provide valuable learnings to help prevent similar issues in the future and ensure your team is better prepared to handle these scenarios.

Avant factsheet: Here's the right way to correct medical records

Avant factsheet: Email communication with patients

Avant factsheet: Patient follow up and recalls

Avant factsheet: Responding to a data breach

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

This article was originally published in The Practice Manager, December 2024 edition (Issue 4)