The Health and Human Services Department's internal watchdog blames federal agency for failing to do enough to help thousands of Medicare recipients whose IDs were compromised by government security breaches.
Thousands of Medicare beneficiaries were put at risk of having their private medical information stolen because of security breaches, and the government was slow to notify or help most of the victims, an internal investigation found.
The stimulus law passed in 2009 required the Centers for Medicare and Medicaid Services (CMS) to quickly alert victims of possible identity theft, but the Health and Human Services Office of Inspector General found the agency often was slow to do so for many of the 13,775 beneficiaries put at risk by 14 recent security breaches.
"Breaches and medical identity theft put beneficiaries, providers, and the Medicare Trust Funds at risk," investigator said. "If CMS does not follow the requirements for handling breaches, opportunities increase for medical identity theft and fraudulent billing of the Medicare program."
The largest breach, affecting more than 13,412 people, occurred because a government contractor mailed Medicare information to the wrong address. Two more breaches occurred because beneficiaries information was posted online. Only one breach involved out-right theft of the information, investigators said.
People whose identification numbers are stolen or compromised are often stuck with them, the IG said, including being forced to deal with any fraudulent charges or changes made to their account.
"There is no standard procedure for ensuring that beneficiaries retain their access to services if their Medicare numbers have been misused by others," the report warned. "If a beneficiary’s number is misused, a claim for a service or an item resulting from the misuse is included in the beneficiary’s Medicare billing history. This could delay or prevent beneficiaries from receiving needed services, particularly when these services are subject to a cap."
The trouble with assigning a new number is that the Medicare information is often tied to Social Security Numbers. The Social Security Administration has advocated separating the two, investigators said.
"Beneficiaries with compromised numbers are not routinely assigned new numbers," the report said. "Several benefit integrity contractors expressed a desire for CMS to terminate and issue new beneficiary numbers, citing the credit card industry as a model."
CMS has been reluctant due to the high costs and amount of time it would take to change their system, but said they would look at developing a plan to get victims new accounts, investigators said.
"Making the necessary changes to allow CMS to reissue identification numbers for beneficiaries will require significant monetary investments, multiple systems and operational changes," Acting CMS Director Marilyn Tavenner said in a response to the report. "However, we recognize the importance of finding ways to better protect personally identifiable information for beneficiaries and to assist beneficiaries who are victims of medical identity theft."
Government contractor's responses to the thefts have also varied widely. Some have continued to make payments for beneficiaries whose information has been compromised because they didn't check first to see if the account was one that had been breached.
CMS provides some assistance to providers who may have to deal with fraudulent claims, but has fewer options available for individuals who are victims of identity theft, investigators said.
The breaches occurred between Sept. 2009 and Dec. 2011, investigators said. Theft of medical information could allow criminals to buy prescription drugs and medical supplies using victims' information, and cost the government taxpayer money if it pays any fraudulent claims, the inspector general said. Changes to medical information could also lead to patients receiving the wrong treatment, the IG said.
Individuals who may have had information stolen are supposed to be notified at most 60 days after the breach, according to government policy. But CMS didn't always alert people in time, the IG found. For some of the security violations, it took six months before victims were notified their information might have been compromised.
Victims of the largest breach, however, were notified in a timely manner and CMS alerted the media to the breach as required by government guidelines for incidents affecting more than 500 people. But investigators found the media outreach didn't include steps beneficiaries could take to keep their information safe.
The inspector general recommended that CMS ensure all victims are notified of breaches in a timely manner, update its database contractors can use to look up compromised numbers, and try to develop some way to give victims of medical identity theft new numbers so that they can continue getting needed services.
CMS agreed with the recommendations, but said it would not seek to remove fraudulent payments from Medicare records as it could affect evidence in criminal proceedings. Instead, CMS said it would seek a way to ensure victims don't pay for the fraudulent claims and still receive medical services.
The Health and Human Services Department, or HHS is the "government’s principal agency for protecting the health of all Americans and providing essential human services," according to its website.
The Office of Inspector General, or IG, is an independent watchdog within each government agency charged with finding waste, fraud or areas for improvement.
The Centers for Medicare and Medicaid Services, or CMS, is the HHS office that handles Medicare and Medicaid entitlement payments to beneficiaries and medical facilities.
