CEO SUMMARY: Identity theft is one of America’s fastest- growing crimes. Not only that, it is simple to commit and can be done by anyone. Few laboratories and pathology group practices are prepared to deal with the crime of patient identity theft. Labs should proactively move to implement protections against patient identity theft and raise the awareness of employees to this type of crime.
PATIENT IDENTITY THEFT WILL SOON be on the radar screen of all healthcare providers, including laboratories and pathology group practices.
As a criminal trend, it is still in its infancy, but it has the potential to grow on a scale unforeseen by experts. Further, under HIPAA (Health Insurance Portability and Accountability Act), patient identity theft represents an entirely new dimension of risk.
THE DARK REPORT recommends that all laboratories and path- ology groups should take steps to understand this crime and implement safeguards against it. To help in that effort, we are proud to bring you the exclusive interview with cancer patient Eric Drew.
His story is remarkable, amazing, and inspiring, for many reasons. But it is also troubling. I suggest you carefully read the full interview on pages 9- 19. It is complete and detailed for a reason. In his own words, Eric Drew shows you how easy it is for someone inside a hospital laboratory to steal a patient’s identity and profit from the crime. He also shows you what happens when the healthcare provider is unprepared to deal with a patient who is a victim of identity theft while under its care.
I call your attention to several points, assuming that you have read Drew’s interview before you read my commentary. First, Drew acted within the system. Realizing his identity was stolen and with good reason to suspect the crime occurred in the hospital where he was a patient, he used the “privacy hotline” at the hospital to notify them of the situation. Hospital officials met with Drew.
What was the hospital’s response? In Drew’s words, “They rolled their eyes and treated me as though I were just some unruly patient. They were very patronizing. I thought later, why would the hospital help me? I figured the hospital would be subject to a multi-million dollar HIPAA violation if my hospital records were to be proven breached— which is exactly what happened!”
Put your lab or pathology group in the same scenario. Who would meet with a patient that had a sound argument, based on early evidence, that someone within your organization had committed the crime of patient identity theft? What would be their response, in speaking for your laboratory?
Here is where the ethics of your lab- oratory will become visible. Eric Drew’s hospital took what was, essentially, a position which was both do-nothing and adversarial. Drew said “They asked me how I knew it was a hospital employee and said that, even if it were, there would be no way to prove it.”
This rubs against my business ethics. If I had evidence that an employee was engaging in criminal behavior at work, I would certainly want to jump on this case, learn the facts, and, if warranted, terminate this individual at the earliest opportunity. In Eric Drew’s case, once briefed about the identity theft, this healthcare provider showed no motivation to either help him in tangible ways, nor did it immediately initiate internal actions to identify the culprit and take effective action against that employee.
I should point out that the hospital’s attitude toward this case of patient identity theft was not much different than that of the Seattle Police and the FBI. What made the difference in Eric Drew’s case was that he got media attention. Once television news broadcasts publicized the fact that a patient battling an almost-always fatal form of cancer at Seattle Cancer Care Alliance (SCCA) was also battling patient identity theft—from his hospital bed—he did get a higher degree of attention from his healthcare provider and the authorities.
But even that attention did not translate into an effective response to his situation. I wonder what might have happened had the CEO of SCCA, or the CEO of University of Washington Medical Center, publicly leaned on the Seattle Police and District Attorney to pursue and prosecute Drew’s case. This did not happen, but I ask the question. Would your laboratory be prepared to publicly support justice for a patient who experienced identity theft while under the care of your laboratory? Keep in mind, some would view that as negative publicity even though it would be the right thing to do.
Tough Actions—What If?
In fact, let me ask this. If Eric Drew’s hospital had taken the tough stand on this crime; if it had worked to ferret out the criminal among its employees; if it had put pressure on the police and district attorney to successfully prose- cute the case: wouldn’t that have been the win-win decision for everyone?
Patient Eric Drew would have not only seen justice done, but would have been grateful to the hospital. The hospital would have sent a powerful message to the community—and its employees— that it is tough on crime and not to be messed with.
My final point is probably the most obvious. If patient Eric Drew had chosen to find a high-profile attorney, the evidence indicates that he would have a strong civil case against the hospital. He has already made that connection, as noted in the quote earlier. In fact, it appears the hospital’s reaction was organized more to neutralize the threat that this patient might have standing to sue than to deal effectively with the crime and bring it to a resolution that satisfied all parties.