By Margaret Collins BLOOMBERG NEWS

Sierra Morgan was billed $12,000 on her health care credit card in November for liposuction, a procedure she never requested or received.

“It’s depressing to know that someone used my name and knows so much about me,” said Morgan, 31, a respiratory therapist from Modesto, Calif.

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, according to Javelin Strategy & Research, a market research firm. The average fraud cost $12,100, Javelin said.

“A trend we’ve seen over the past few years is using stolen information to file false claims,” said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Association, a nonprofit research group.

Criminals set up fake clinics to bill for phony treatments, said Pam Dixon, founder of the World Privacy Forum, a nonprofit consumer-research group based in San Diego, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, as in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The digital files will improve care and help lower costs, the government said, without projecting savings.

“Once files are in electronic form, the crime scales up quickly,” said Dixon, whose group analyzed a decade of consumer data from the Federal Trade Commission and medical identity theft cases from the Department of Justice.

“There are cases where someone has walked out with thousands and thousands of files on a thumb drive,” she said. “You can’t do that with paper files.”

Patients’ medical records are altered to reflect diseases or treatments they never had, which can be life-threatening if they receive the wrong treatment or find their health insurance exhausted, Dixon said. A thief may change the billing address for a victim’s insurance so they’re unaware of charges, she said.

“Once you aggregate and put data in one place, it’s easier for you to see it, but it’s also easier for a criminal to see and use it,” said Scott Mitic, chief executive of TrustedID, a consumer data-protection firm. “The digitization of medical records over the next years is certainly going to make this more of an issue.”

Fraud at a high cost

Brandon Sharp, 38, found more than $100,000 of unpaid medical bills on his credit report when he went to buy a home. The charges included $19,501 for a life-flight helicopter trip and emergency room visits he never used, said Sharp, a project manager for a Houston-based oil company.

“I’m as healthy as they come,” he said.

Sharp said he spent six to nine months correcting his medical files, outstanding charges and credit report.

Medical identity theft is about 2½ times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught.

The average fraud involving health information was $12,100, compared with $4,841 for all identity crimes last year, and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.

“It’s becoming the credit card with a $1 million limit,” said Jennifer Leuer, general manager of ProtectMyID.com, an identity-protection service provided by Experian PLC, a credit reporting firm. “If the health insurance is valid, they’ll treat you and not always check your ID.”

Insurers are improving technology to spot false claims, said Tom McGraw, a senior vice president at Ingenix, a subsidiary of UnitedHealth Group Inc. McGraw leads a group focusing on fraud involving Medicaid and Medicare, the two government-sponsored health programs for the poor and the elderly, he said. The company can now track distances between providers and beneficiaries to identify whether physicians are treating patients who don’t live nearby, he said.

Legislation passed last year requires doctors and hospitals to notify patients when their information has been exposed from a security breach, said Randy Sabett, co-chairman of the Internet and data protection practice at Sonnenschein Nath & Rosenthal, based in the law firm’s Washington office.

To read the remaining article