It started small but escalated rapidly.
On April 9, the same day the Centers for Medicare and Medicaid Services released a trove of Medicare physician payment data, New Hampshire Medical Society executive vice president Scott Colby got an email from a local doctor saying he’d been the victim of identity theft and asking if other doctors had reported the same.
The following day he got an alert from an Indiana dental group warning that some of its dentists had been the victims of tax fraud, and by April 14 Colby had heard from enough doctors in his home state that he contacted the New Hampshire Department of Justice, who put him in touch with the local Secret Service office.
The U.S. Secret Service is now leading a national investigation, aided by local IRS agents, into a rash of tax fraud cases against doctors that has spread to at least 18 states.
Medical societies across the country are reporting that thieves have used the names, addresses, and Social Security numbers of clinicians – and in some cases the names of doctors’ spouses and patients – to file bogus state and federal tax returns.
Doctors are being alerted to the data breach either through a letter from the IRS instructing them to visit the identity theft website, or a rejection notification when they attempt to file their taxes electronically. The rejection notices say the taxes have already been filed, and in some cases, the refund already collected.
The state medical societies say they don’t know how the data was obtained, and the Secret Service and IRS aren’t talking about the specifics of the investigation.
Meanwhile, the number of reported tax fraud cases against doctors continues to climb.
New Hampshire leads the way with 170 reported cases, and Indiana and North Carolina have each seen in the neighborhood of 100.
Massachusetts issued an alert to doctors earlier this month, prompting a response from dozens of Bay State doctors claiming to be victims.
And in Oklahoma, State Medical Association executive director Ken King said he has so far heard from more than a dozen doctors in the days since Friday, when he posted an online bulletin about reports coming in from other states.
Officials at medical societies in Oklahoma, North Carolina, New Hampshire and Vermont all told Morning Consult this is the first year they’ve ever heard from their members about the issue.
The state medical societies have become the central hub for reported violations, and are funneling the complaints to the Secret Service, who is building a database to look for patterns that could lead to the source of a breach.
That is, of course, if there ever was a breach targeted specifically at doctors.
“This particular scam is a popular identity theft scheme and is not necessarily targeted at physicians,” the North Carolina Medical Society wrote in a message to members on Wednesday.
Indeed, the IRS has previously warned all tax payers about the same scheme the doctors are reporting, and even included it in a February publication called the “Dirty Dozen Tax Scams for 2014.” Because it’s tax season, a fraudulent filing is usually the first thing a victim reports after an identity theft.
There is no public evidence to suggest that doctors are being targeted at a higher rate than lawyers, government workers or the general public.
The New Hampshire Medical Society has the most cases, with 170 reported from its 2,200 members. But in neighboring Massachusetts, one of the most densely populated medical communities in the country, there have been only about two dozen reported cases from a medical society that counts nearly 25,000 members.
An IRS official downplayed the possibility that there had been a breach specific to the medical community, saying it was likely a “local crime” and not a “systemic issue with doctors.”
The official said these kinds of targeted attacks don’t typically blanket an entire industry, but rather are contained to an organization, like Target, a hospital or a medical school.
That could explain the reported fraud cases coming out of Michigan, one of the 18 states included in the investigation, where some University of Michigan Health System employees reported this month they’d been the victims of fraudulent tax filings.
Even the American Medical Association, the largest doctor trade group in the country, says it’s premature to speculate that there’s been a doctor-specific breach.
“Physicians were encountering this scheme well before details [from the 18 states] mounted,” said AMA spokesman Robert Mills.
Mills added that while physicians are reporting more cases of this tax scheme than ever, they also have a “heightened awareness of vulnerability due to government policies that allow for public access to physician identifiers.”
Cyber-security and data protection have exploded into the public consciousness after the National Security Agency revelations, Target data breach, Heartbleed virus, and Congressional hearings on the safety of data transmitted through Healthcare.Gov. It culminated for the medical community with the CMS data dump.
Many doctors, including the AMA, opposed the way CMS released Medicare physician payment data earlier this month, saying it could be misused and misinterpreted. The data included physician identification numbers, although those numbers were public information before, and the indication is that the perpetrators of the present scheme are using Social Security numbers.
This raises a chicken and egg question – is it possible that the heightened awareness around these issues, and the fact that the medical societies are actively encouraging members to report violations, led to a spike in reports, but not in violations?
“In general, people are much more aware of cyber-security, and I think too, we put out a message to members saying 100 doctors have been affected, and if it happens to you, to report it,” said North Carolina Medical Society spokeswoman Elaine Ellis Stone. “We’re finding these things out as a group, but in context nationwide, maybe there are just as many lawyers or accountants affected.”
Not all of the medical societies are convinced that these are individual, unrelated identity thefts.
“As it was happening to the individual doctors, they thought initially it was bad luck that they got tagged, until they started hearing from their colleagues,” Colby said. “This is more than a random act, and that’s the hypothesis under which we’re operating.”
King speculated that perhaps it was a single billing company that many of affected doctors use. That’s exactly the kind of pattern the Secret Service will be looking for.
What’s certain is that the data breaches are a bureaucratic and legal headache for doctors.
State medical societies are recommending affected practitioners file taxes early to deal with a potential rejection notice. Those who receive the rejection notice must fill out paper tax forms and mail them in to the state and federal government.
In addition, those affected are being told to fill out an affidavit along with their paper returns to the IRS, notify their state Department of Revenue, file an identity theft complaint with their state Attorney General and the Federal Trade Commission, file a local police report, to report the fraud to the Social Security Administration, and to run credit checks on or freeze their existing financial accounts.