Tax Identity Theft Awareness Week


Tax season is underway and the Federal Trade Commission has designated this as Tax Identity Theft Awareness Week.

It’s an effort to educate people and help prevent them from becoming victims of identity theft.

Randy Hutchinson with the Better Business Bureau has tips on how to protect yourself.

What is tax identity theft?

Two forms:

  • Thief uses someone else’s Social Security Number to file a fraudulent tax return and get a refund. Victim may only learn about it after filing his own return and getting a notice from the IRS that one has already been filed in his name.
  • Thief, perhaps an illegal immigrant, uses someone else’s Social Security Number to get a job. Victim may only learn about it when she files her tax return and gets a notice from the IRS that she has under-reported her income.

How big is the problem? 

  • IRS initiated 1,492 criminal investigations in FY 2013:
    • 66% more than FY 2012.
    • 440% more than FY 2011.
    • IRS issued $4 billion in fraudulent refunds in 2012 – sent 655 refunds to a fraudulent address in Lithuania.

Give us examples of tax identity theft:

  • Rashia Wilson of Tampa, FL obtained over $2 million in fraudulent refunds from 2009 to 2012. IRS calls her the “First Lady” of tax fraud.
  • Six Memphis women pleaded guilty last year to filing over 800 fraudulent returns totaling $1.3 million. Some victims were local high school students.
  • Other crooks have stolen identities of deceased persons, residents of nursing homes, and inmates.
  • Some crooks recruit mail carriers to intercept fraudulent refunds that are mailed to victims’ addresses.
  • Some thieves are crooked tax preparers – one fellow used information from 51 clients to obtain $200,000 in fraudulent refunds.

What are signs that someone is a victim of tax identity theft?

You receive a notice from the IRS that:

  • More than one tax return was filed for you.
  • You have a balance due, a refund offset, or a collection action taken against you for a year you didn’t file a return.
  • IRS records indicate you received wages from an employer unknown to you.

What should people do if they become a victim of tax identity theft?

  • Contact the IRS immediately.
  • Consider filing a police report.
  • Consider putting a fraud alert on credit reports.

Any other advice to avoid tax identity fraud?

  • Choose a reputable tax preparer.
  • Don’t respond to unsolicited emails that appear to come from the IRS asking for information.

The Growing Problem of Medical Identity Theft

Medical identity theft (MIT) has become a major fraud issue over the past several years. However, most consumers may not be aware of the threats it poses. Unlike traditional financial crimes such as credit card or check fraud, which rarely involves anything more than a loss of money, the consequences of MIT can involve physical harm or potential loss of life.

According to the Medical Identity Fraud Alliance (MIFA), MIT is defined as the fraudulent theft of an individual’s protected health information (PHI) and personally identifiable information (PII) — such as a name or Social Security number — to obtain medical goods and services or for financial benefit. Additionally, the MIFA states that synthetic identities have been used to commit MIT in which the PHI of several individuals may be mixed to create separate identities.


Unlike financial fraud, MIT is potentially a life-or-death situation at its most extreme. When others use a victim’s medical identity to obtain medical services or prescription drugs, that information may be commingled with the victim’s electronic health record (EHR).

The MIFA highlighted an example in which an elderly man visiting his local emergency room for a back injury was nearly administered penicillin, to which he had a life-threatening allergy. The issue was caused after the victim lost his medical ID card and did not immediately report it. In the intervening months, someone else used his medical ID at the same emergency room in which he was treated. The victim’s medical records were corrupted with the addition of the fraudster’s medical conditions.

There are several factors that contribute to the recent increase in MIT, such as a conversion to digital records, the black market value of medical records, friendly fraud and insider threats and Affordable Care Act (ACA) fraud.


As health care providers convert to digital records, the personal medical information of millions of people has become vulnerable to external data breaches. In 2009, the federal government began offering hospitals and health care providers a monetary incentive to convert to EHRs.

Although there are security guidelines and certifications in place, online medical data has become a prime target for skilled cybercriminals. According to the Identity Theft Resource Center (ITRC), of the 761 data breaches it reported in 2014, 322 (42 percent) were in the medical/health care category. The Ponemon Institute estimates the annual economic impact from MIT is $11.6 billion.


Since December 2013, there have been many high-profile retail data breaches in which millions of consumers’ PII was compromised and put up for sale on underground websites such as Rescator. However, credit card and Social Security numbers for sale on underground sites only fetch a few dollars. Stolen medical identities, by comparison, sell for as much as $50.

In general, consumers do not understand how valuable their medical insurance information has become.


The Ponemon Institute’s survey found that 35 percent of MIT was the result of family members using the victim’s insurance information. These crimes often go unreported to law enforcement because the victim knows or is related to the perpetrator.

Twenty-nine percent of cases stem from health care providers billing for unrendered services and from malicious insiders employed by health providers who steal and sell medical identities.


After the ACA was implemented, millions of Americans were exposed to identity theft and fraud. The enrollment website had issues, according to cybersecurity expert and SecureMySocial CEO Joseph Steinberg. He said it was unstable and would sometimes deny access, cut off communications in the middle of a session or crash completely. Buggy systems often let criminals exploit glitches to gain unauthorized access, read data or even modify the code executed during subsequent user sessions. Reports show organized crime groups and fraudsters began to bombard potential victims with emails and phone calls in an attempt to trick them into surrendering their Social Security number, bank number or other types of PII.

For instance, when a 69-year-old Ohio man signed up for health care through the site, he became a prime target for fraudsters. He started receiving dozens of spam emails and even received a phone call from a “convincing” man who claimed to be from the national Medicare office. The man said Medicare was ready to send a new Medicare card, but it first needed to confirm his identity through his bank account number.


Consumer awareness of medical identity theft is an important step that must be taken to limit the growth and expansion of MIT. Consumers must understand there are potentially severe consequences if their medical identity is compromised. The following are some actions consumers can take to prevent and detect fraud early on:

  • Guard medical identification and insurance information as closely as your Social Security number and banking information.
  • Carefully review the explanation of benefit statements you receive in the mail to ensure listed services pertain to your own care.
  • Monitor your credit report for unusual activity related to delinquent medical bills.
  • If you suspect you have been victimized, request all medical records from your health care providers to perform a review.
  • Read this IRTC fact sheet for more consumer protection information.


As more devices enter the Internet of Things ecosystem, the health care industry will benefit from innovation. Wearables such as Fitbit and Apple iWatch will capture real-time data on patients. The natural progression is for this data to be transmitted to a patient’s health care provider and become part of a holistic health care approach.

Ultimately, there will be an increased number of access points into health care systems and, consequently, an increased attack surface for cybercriminals.

The top-of-mind issue for information security professionals in the health care industry is protecting against network infiltration and large-scale data breaches. However, what about the risk posed by the multiple devices patients will use to access their records? Mobile malware continues to increase at an alarming rate as cybercriminals look to capitalize on the proliferation of mobile device usage. According to Websense, 2015 will see cybercriminals looking to take advantage of auto-login capabilities of mobile apps to steal credentials. Malcovery predicts password reuse attacks from the countless data breaches will increase since cybercriminals will automate the attacks.

These are not groundbreaking predictions, but the preparedness of the health care industry must be considered. More mature industries in the digital world have made investments to address the challenges created by customers using multiple devices to access accounts and records. Device fingerprinting, malware detection, device reputation analysis and IP address monitoring are all techniques used to identify suspicious logins using a current customer’s credentials.

Are health care systems preparing to help protect their patients from login credential theft on the increasing number of devices patients will use to access and contribute to their health care records? Banks and other financial institutions have long witnessed their customers lose login credentials through phishing and malware attacks. With the digitalization of health care records and the subsequent surge in value, cybercriminals will employ the same techniques used to gain access to individuals’ online bank accounts to access their EHR.

The theft of health care login credentials can have widespread implications. Medical identity theft is still an immediate concern. However, this is shortsighted. Criminals can use the information from an EHR to conduct cross-industry identity theft, including establishing a line of credit using the victim’s identity or taking out an auto insurance policy in the victim’s name. What’s even more challenging is identifying the root cause of the identity theft. Victims are often unaware of lost credentials; therefore, they may never make the connection between the compromised medical records and the fraudulently opened credit card.

Medical identity theft is a growing fraud problem, and its consequences can be dire. The industry adoption of EHR, black market value of medical identity information and the lack of consumer awareness of the problem have all contributed to the growth of this issue. The expanded use of connected medical devices will provide increased opportunities for cybercriminals to access and compromise consumers’ medical records. Health care providers will have to invest in and adopt technologies to be on par with the financial sector.

Article co-written by Chad Barnes, IBM Red Cell

New kind of identity theft you haven’t heard of.

New kind of identity theft you haven’t heard of.

You surely know about the dangers of identity theft, where someone who has obtained some of your personal information, such as your Social Security number, uses that to get money (often yours) or credit. It can cause massive headaches, at the very least. There’s not just a single kind of identity theft, though. There’s one kind in particular that has been happening more often lately. You probably don’t know about it and you definitely should. It’s medical identity theft.

The Federal Trade Commission has warned consumers about this growing danger, explaining medical identity theft thusly: “A thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.”

A growing problem

Here’s how much of a growing problem medical identity theft is: There’s a Medical Identity Fraud Alliance, or MIFA. And it has studied the matter, estimating that 2.3 million Americans were victimized by it in 2014, up almost 22% over 2013. That’s a lot of people — and a fast growth rate. Worse, along with the Ponemon Institute, MIFA has surveyed Americans, finding that among victims of medical identity theft, 65%, about two-thirds, ended up spending an average of $13,500 to straighten matters out. Victims also lost a lot of time — an average of about 200 hours spent trying to resolve their cases. Can it get any worse than that? Yup, it can: the folks at MIFA found that only 10% of those surveyed reached a “completely satisfactory conclusion of the incident.” And while about a fifth of victims suffered a decrease in their credit score, almost a third lost their health insurance.

Part of the problem likely stems from cyberattacks and security breaches at major corporations, when thousands or millions of people’s data is stolen in one fell swoop. That happened recently at America’s second-largest health insurer, Anthem, for example, and even more recently at Premera Blue Cross, based in Washington State. Premera Blue Cross’ breach is believed to affect 11 million members, and a Reuters report has explained that “the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other personal data in an attack that began in May 2014 and was uncovered on Jan. 29 of this year.” See some potential problems? Right. (Anthem believes that medical information was not stolen in its breach that affected close to 80 million people.)

What to do

Fortunately, if you’re now quivering in fear, worrying about being victimized, know that you’re not completely powerless. There are some steps you can take to reduce your chances of falling prey:

Check your credit reports regularly for any strange unpaid bills that an identity thief might have generated. You’re entitled to one free copy of your credit report each year from each of the three main reporting bureaus, and you can access those at To be strategic about it, you might space out your three annual copies, requesting one every four months, so that you’re getting information more regularly than once a year.

It also helps to know your Health Insurance Portability and Accountability Act rights and to ask your healthcare providers if you can see your electronic health records, to check for errors — especially if you know or suspect that you’ve been victimized. Read your explanation-of-benefits statements from providers, too, to check for any fraudulent charges. Know that you can ask health plans and medical providers for an “accounting of disclosures,” too, which is a listing of who has received your records and what information they received. You should, by law, be able to get one copy per year from each provider.

Don’t give out your personal information to friends or family members so that they can access some medical care. The data from MIFA shows that about a quarter of victims had given identifying information to a friend or family member.

Be on the lookout for scams, such as if someone claims to work for a healthcare company and offers you some services for free or for a too-good-to-be-true price, requiring your Social Security number or other personal data.

If you find that you’ve been victimized — and it can take several months for someone to notice, perhaps after receiving an unexpected bill or a collections notice — report it. Many people don’t report medical identity theft. Reasons include being embarrassed (such as if they gave their information to a trusted person) or not knowing where to report it. You can report problems to your health care provider, your insurer, and federal and state authorities. You can also contact your local police department, your state Attorney General’s office, and the Department of Health and Human Services.

Medical identity theft is a scary scam, but by taking certain steps, you may be able to either avoid it or minimize its damage, should it happen to you.

The Motley Fool is a USA TODAY content partner offering financial news, analysis and commentary designed to help people take control of their financial lives. Its content is produced independently of USA TODAY.