How HHS OIG Helps CMS Combat Medical Identity Theft

To combat pandemic-related fraud at the Centers for Medicare & Medicaid Services (CMS), the Department of Health and Human Services’ Office of the Inspector General (HHS OIG) partnered with the Department of Justice (DOJ) to conduct outreach campaigns to educate the public about emerging schemes. These alerts also provide information resources like contact information for reporting suspected fraud and tips on how to protect against the schemes.

“OIG’s Office of Investigations conducts criminal, civil and administrative investigations of fraud and misconduct related to HHS programs, operations and beneficiaries,” Jon-Paul Correira, HHS OIG’s assistant special agent in charge and director of inspections and investigative policy, said during AFCEA’s FedID Forum. “One common element is that many of these fraud schemes include theft of the identities of beneficiaries and/or providers.”

Medical identity theft happens when fraudsters steal or use a patient’s or provider’s medical identifying information, like a Medicare identification number, to submit fraudulent claims to Medicare and other health insurers without authorization.

CMS receives approximately 800 identity theft related calls every month. This type of theft can create patient safety risks and impose financial burdens on beneficiaries and providers. Fraudsters can also use this information to steal identities.

“In fiscal year 2020, OIG closed 107 cases that involved an allegation of identity theft. These cases resulted in 75 indictments, 91 criminal actions, 8 civil actions and more than $52 million in HHS monetary receivables,” Correira said.

COVID-19 created more opportunities for fraudsters to take advantage of new weaknesses. Scammers used the pandemic to send phone calls and texts to beneficiaries regarding free COVID-19 tests, cures, relief kits, vaccination appointments, fake vaccination cards and HHS COVID-19 grants to entice beneficiaries to provide personal information.

“It is the same type of scheme they’ve always used, but now they’re using the fear of the virus to initiate conversation,” Correira said.

OIG also maintains a robust cybersecurity portfolio that supports oversight of access controls. Correira said that his office is focusing on strengthening program integrity and securing protected health information as cyberattacks intensify.

“[These] are proven ways to prevent possible identity fraud by protecting unauthorized access to this information,” Correira said.

HHS OIG conducts various audits and evaluations to protect beneficiaries’ information. The agency recently worked with the Social Security Administration (SSA) and the Government Accountability Office (GAO) to change Medicare identification numbers and remove associations with patients’ Social Security numbers to deter identity theft and fraud.

The new Medicare cards display a unique, randomly assigned Medicare number known as a Medicare beneficiary identifier (MBI), which protects against identity fraud and provides a direct way to address victims of medical identity theft when MBIs are used in fraud.

“Following the final roll out of the new cards, we have seen a drop in identity theft cases. From 2019 of January to April 2021, a 40% decrease in medical identity theft related calls to CMS, and that’s during the pandemic,” Correira said.