April 6, 2015

Cyber attacks on health databases are occurring so frequently that they are only newsworthy when they affect millions of records, as happened with the recently-reported massive Anthem  (about 80 million individuals) and Premera Blue Cross (more than 11 million) data breaches.  Last year, in fact, was characterized as the “year of the data breach” by some, according to Becker’s Hospital Review, which reports that: “Across industries, the healthcare sector experienced the highest percentage of breaches in 2014, according to Identity Theft Resource.  Of the 761 data breaches reported last year, 322 of them came from the healthcare industry.”

These attacks are the source of personal data not just from patients’ insurance records.  They are also perpetrated on physicians’ personal and financial information, which is then used to commit tax identity fraud.  Physicians are an attractive target for tax fraud because their income levels and potential tax refunds are higher than average.  Almost a year ago the American Medical Association (AMA) noted that:

Across the country, hundreds of physicians and other health professionals in at least 18 states have been the targets of tax fraud involving identity theft and the filing of fraudulent federal income tax returns.  These malicious acts of fraud have resulted in a significant loss of time and effort by physicians who have had to submit paper returns and additional information as proof of their identity.  It has also resulted in a significant loss of revenue to the federal government for fraudulent rebate checks.

On June 10, 2014, the AMA called upon the IRS and CMS to adopt regulations to prohibit the use of social security numbers by insurers, health care vendors and other government agencies. 

Montana, New Jersey, Connecticut, New Mexico and Washington are among the states that have all recently adopted or considered legislation that would require date encryption for healthcare organizations; Massachusetts already has such a requirement on the books.  HIPAA does not expressly mandate encryption but rather treats it as an “addressable security solution” that must be considered as one of several means of protection.  Many health plans are only slowly encrypting their databases on the grounds that encryption interferes with data processing.  The technology is improving, however, and federal regulators in the HHS Office for Civil Rights increasingly expect to see encryption when they investigate breaches.  A more secure solution is keeping protected information on a server that does not have a public Internet Protocol (IP) address.  That said, encryption itself would not have protected against the Anthem attack, which occurred through a successful “phishing” enterprise where thieves tricked employees intro providing credentials that gave access to the information system.

The IRS is pursuing tax fraud criminals.  In fiscal year 2014, the IRS initiated 1,063 identity theft-related investigations, and criminal investigation enforcement efforts resulted in 748 sentencings.  IRS officials have indicated that they will continue to increase the agency’s use of identity theft data models and filters in 2015.  It is becoming increasingly challenging for the IRS to catch fraud perpetrators, however, because Congress has cut $1 billion of the agency’s budget over the last two years.

The problem, therefore, continues to grow.  Accountants across the country report that their physician and dentist clients are finding that fraudulent returns have been filed using their Social Security numbers and forged W-2 forms.  The magnitude of breaches this year indicates that the risk is now coming from highly sophisticated criminals both here and overseas, and not just from dumpster-diving thieves, stolen laptops and individual hackers.  Anesthesiologists, pain specialists, nurse anesthetists, anesthesiologist assistants and indeed everyone else should understand the steps to take if they suspect or discover that a fraudulent return has been filed in their names.

The Warning Signs

Individuals may have been the victim of tax identity fraud if they receive a notice or letter from the IRS stating that:

• More than one return has been filed for the individual’s social security number; or
• The individual owes additional tax or that there has been a refund offset or that collection actions have been taken for a year in which the individual allegedly did not file a tax return, or
• IRS records show that the individual received a salary from an employer with whom that individual had no relationship.

Steps to Take if a Fraudulent Return Has Been Filed (or Appears to Have Been Filed)

1. Respond to the IRS notice, or, if none has been received, contact the IRS Identity Protection Specialized Unit at (800) 908-4490.
    
2. Obtain an Identity Protection PIN from the IRS.  This is a six-digit number created for eligible taxpayers to help prevent future fraudulent use of your Social Security number.  If you have been a victim of identity theft, the IRS will send you a CP01F notice, inviting you to apply for a PIN.
3. File a paper return, and attach a Form 14039 Identity Theft Affidavit to explain what happened.  Attach copies of any notices from the IRS, including the 5071C letter, to your tax return. 
   
   If your Social Security number has been used fraudulently, you should also consider contacting the following agencies to protect your interests:
   • File a complaint with the Federal Trade Commission (FTC) at www.identitytheft.gov or the FTC Identity Theft Hotline at 1-877-4338.  The FTC website recommends other immediate steps and provides helpful information.
   • File a local police report.  Provide all documentation available, including any state and federal complaints you filed.  This likely will be necessary if financial account fraud occurred as a result of the identity theft.  If the fraud is solely tax-related, however, the police report will be necessary only if the IRS requests it.
   • Call the Social Security Administration's (SSA's) fraud hotline at (800) 269-0271 to report fraudulent use of your Social Security number.
      
4. Consider contacting one of the three credit bureaus (www.Equifax.com, www.Experian.com, www.TransUnion.com) to place a fraud alert on your account.
    
5. You might also notify your state medical society.  The U.S. Secret Service is coordinating a national investigation and has asked medical societies to forward contact and other information regarding physicians who have been targeted.

To reduce the chances of becoming the victim of tax identity theft in the future, physicians and others can adopt certain practices including subscribing to identity theft protection software, using an IRS Identify Protection PIN number when filing their federal tax returns and filing early—beating the criminals to the punch is perhaps the most effective strategy, but not necessarily a practical one for taxpayers with time pressures and complex returns.

Having provided you with all of the information above, we certainly hope that our readers will not need it, now or in the future.

With best wishes,

Tony Mira
President and CEO