Michael Lowe is Celebrating Over 20 YEARS of Service

Learn More

Medical Identity Theft: Texas Criminal Defense of Health Care Fraud Charges

Posted on by

In Texas, both state and federal law enforcement are keenly focused upon the investigation and prosecution of all varieties of health care fraud, which can result in serious prison time upon conviction.  From a criminal defense standpoint, this investigatory zeal into the medical industry is of serious concern in part because of its impact long before formal charges or an arraignment.  For many people, the mere suspicion or accusation that they have been involved in some type of medical fraud can be life-altering and result in permanent harm to their personal and professional lives.  For more, read our earlier discussions in:

Targeting health care fraud in Texas is a major undertaking for both state and federal authorities.  It is considered to include a wide-ranging area of criminal enterprise, involving all sorts of activities corresponding to the medical industry.  Right now, The Texas Attorney General’s Office describes health care fraud prosecutions as most commonly involving either:  (1) Health Insurance and Medical Billing; (2) Medicare and Medicaid Fraud; (3) Home Health Care Fraud; and (4) Drug Fraud and Abuse.

However, in 2020, changing circumstances are shining a light on a specific type of health care fraud due to the Coronavirus Pandemic.  Criminal defense attorneys who represent those suspected or accused of health care fraud must accordingly be prepared for an increase in these types of defense representations.

COVID-19 and Rise in Medical Identity Theft

This particular type of health care fraud that is getting more and more local scrutiny during the Coronavirus Epidemic involves a form of identity theft.  See, “Security Experts Warn of Elevated Threat of Medical ID Theft during Coronavirus Pandemic,” written by Alanna Autler and published by CBS-DFW on June 22, 2020.

COVID-19 has exposed the vulnerabilities of medical information stored by all sorts of health care professionals, from hospitals to local emergency care clinics and area practitioner’s offices.  Medical identity theft involving data breaches of medical information stored online is a growing area of Texas health care fraud investigations.

HIPPA Encryption Issue

What’s happening?  For one thing, there is no federal mandate for personal information contained in medical files to be encrypted under the Health Insurance Portability and Accountability Act (“HIPPA”).  Encryption is not mandatoryAs explained by the Department of Health and Human Services (“HHS”):

“Is the use of encryption mandatory in the Security Rule?

 “ Answer:  No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

However, a careful reading of the fine print in the HHS answer suggests that encryption should happen.  Notice within this response the use of the word “addressable” which requires encryption if a “risk assessment” finds that encryption to be “reasonable and appropriate” precaution to protect the confidentiality, integrity and availability (CIA) of medical information.  If things are not encrypted, then the doctor, clinic, hospital, etc., must document “the rationale for this decision.”

Given the option, a great many health care providers are not encrypting their medical files.  Health insurance companies, likewise, are notorious for storing trillions of bytes of personal medical information without opting for the protection of encryption.  Read, “Encryption Not Required of Health Insurance Companies,” written by Jaime White and published by LifeLock.

What is Medical Identity Theft?

HHS defines “medical identity theft” as the theft or use of “a patient’s personal information (like your name, Social Security number, or Medicare number), to submit fraudulent claims to Medicare and other health insurers without your authorization.”

4 Scenarios for Medical Identity Theft

However, fraudulent medical identity theft is much more complicated than this definition.  Researchers have found four main scenarios for medical identity theft:

  1. An uninsured individual uses someone else’s personal health information (“medical identity”) in order to get medical care;
  2. An individual wants to keep his personal health information private for personal or professional reasons, so he or she uses someone else’s personal health information (“medical identity”) to get medical care;
  3. An individual uses someone else’s medical information to get prescription drugs for his or her own recreational use or for distribution to others; and
  4. An individual poses as a health care provider and uses someone else’s medical information (“medical identity”) to submit fraudulent health insurance reimbursement claims.

See, Lindgren, Stephanie (2019) “Identities in Critical Condition: The Urgent Need to Reevaluate the Investigation and Resolution of Claims of Medical Identity Theft,” Mitchell Hamline Law Review: Vol. 45 : Iss. 1 , Article 11, page 50.

What is taken in Medical Identity Theft?

All sorts of personal and private information may be found and allegedly used for illegal purposes in a medical identity theft case.

1.  PII – Patient Information

Essentially, medical identity theft can involve any type of Personally Identifiable Information (“PII”), which has been defined by the U.S. General Services Administration (OMB Memorandum M-07-1616) as:

“…. information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual.”

A. Health Care Data

Of course, individual health care and medical insurance files can have all sorts of private facts and figures.  Medical identity theft can include things directly related to physical or mental health such as details of:

  • Past and present health conditions and diagnoses;
  • Height, weight, blood type, allergies, age, etc.;
  • Drug prescriptions and medication histories; and
  • surgery, anesthesia, and rehab records.


B. Financial Information

Files kept by hospitals, doctors, clinics, insurance carriers, human resource offices, etc., will also have all kinds of information that pertains more to the financial circumstances of the patient, policyholder, or employee than to their health condition.  Medical identity theft can also involve the following personal data:

  • Insurance coverage details;
  • Birth date;
  • Bank account identification numbers;
  • Credit card identification numbers; and
  • Social Security Administration identification numbers.

For more, read “Healthcare Data Hacking Could Lead to Identity Thefts,” written by Linda Carroll and pubished by Reuters on September 23, 2019.

2.  Health Care Providers

Hackers are also known to access and sell information related not to patients but to health care providers.  Buyers are able to use this data to impersonate a doctor, for example, including DEA licenses, medical diplomas, and more, enabling them to sell either prescription drugs or to market prescriptions for others to take to the pharmacy for filling.

For more, read:  “This Is How Hackers Make Money From Your Stolen Medical Data,” written by Charlie Osborne for Zero Day and published by ZDNet on June 5, 2019.

Illegal Use of Personal Medical Information: Profitable Fraud

Accessing the personal health data and medical file information of one or more individuals is the first step in medical identity theft.  The crux of criminal charges involves how this personal information is used.

While the researchers have recognized the four above types of medical identity theft, law enforcement will likely focus efforts on those who are accessing the private information for a large numbers of individuals in order to make a profit.  This usually involves collecting payments from health insurance companies or from prescription drug sales.

  • Health care providers may be targeted in investigations where they are suspected of filing fraudulent insurance claims for profit. Here, the hospital (doctor, dentist, pain clinic, etc.) may be accused of filing bogus claims or filing inflated claims, where reimbursement is requested from the health insurance carrier for procedures that were never performed.
  • Suspected drug dealers may be targeted by law enforcement for lucrative, voluminous medical identity thefts as well. This is because medical identity thefts are a known vehicle used to purchase a variety of prescription drugs using stolen insurance information or other PII which are then sold alongside illegal drugs at a tremendous profit.

According to the Federal Bureau of Investigation (FBI), one of the most common health care fraud scams using medical identity theft involves the following (quoting from the FBI’s site):

  1. Providing an inducement, such as money or a gift, to beneficiaries to visit a location (normally medical clinics) where identities are obtained when the patient signs in;
  2. Obtaining patient information when patients obtain a free screening, a method frequently seen at health fairs;
  3. Inducing medical personnel with access to patient insurance information to copy the material and provide it to those involved in fraud schemes; or
  4. Purchasing the information from others involved in fraud, including owners of fraudulent companies and marketers of stolen patient and physician billing information.

In today’s Coronavirus Pandemic, the federal government also warns of medical identity theft tactics tied to concerns over exposure to COVID-19.  The HHS has issued a public warning that “scammers are offering COVID-19 tests to Medicare beneficiaries in exchange for personal details, including Medicare information.

Here, medical identity theft involves “fraudulent telemarketing calls, text messages, social media platforms, and door-to-door visits,” with the stolen PII used to fraudulently bill Medicare or Medicaid.

Texas Penal Code §32.51 and Medical Identity Theft

Texas Penal Code §32.51 (“TPC”) prohibits the “Fraudulent Use or Possession of Identifying Information,” which encompasses allegations of Medical Identity Theft under Texas law.  Anyone arrested by state authorities for identity theft involving personal medical information will face charges based upon this statute, as well as any others that the prosecutors decides to include (or stack) against him or her.

What types of information can form the basis of Medical Identity Theft charges?

Under TPC §32.51, “identifying information” means information that alone or in conjunction with other information identifies a person, including a person’s:

(A)  name and date of birth;

(B)  unique biometric data, including the person’s fingerprint, voice print, or retina or iris image;

(C)  unique electronic identification number, address, routing code, or financial institution account number;

(D)  telecommunication identifying information or access device; and

(E)  social security number or other government-issued identification number.

When is it against the law to use this personal medical information?

As for the actions undertaken with this medical information, TPC §32.51 defines it to be a criminal act when “the person, with the intent to harm or defraud another, obtains, possesses, transfers, or uses an item of:

(1)  identifying information of another person without the other person’s consent or effective consent;

(2)  information concerning a deceased natural person, including a stillborn infant or fetus, that would be identifying information of that person were that person alive, if the item of information is obtained, possessed, transferred, or used without legal authorization; or

(3)  identifying information of a child younger than 18 years of age.”

Help for State Proving their Case: Fraud is presumed under TPC 32.51

What about motive?  The legislature has helped the prosecution with its burden of proving the motivation of the accused in TPC §32.51.  Here, the statute provides that “… the actor is presumed to have the intent to harm or defraud another if the actor possesses:

(1)  the identifying information of three or more other persons;

(2)  information described by Subsection (b)(2) concerning three or more deceased persons; or

(3)  information described by Subdivision (1) or (2) concerning three or more persons or deceased persons.

However, this presumption does not apply to “a business or other commercial entity or a government agency that is engaged in a business activity or governmental function that does not violate a penal law of this state.

Sentencing for Medical Identity Theft under TPC §32.51

Conviction for violation of TPC §32.51 constitutes a state jail felony if the conviction is based upon less than five (5) pieces of identifying information.  This means a sentence of up to two (2) years in a Texas state jail along with a maximum fine of $10,000.

The punishment escalates to a felony of the third degree if the number of items obtained, possessed, transferred, or used is five or more but less than 10; a felony of the second degree if the number of items obtained, possessed, transferred, or used is 10 or more but less than 50; and a felony of the first degree if the number of items obtained, possessed, transferred, or used is 50 or more.

Restitution to the victim, including lost income, can be ordered as well.    Also, the punishment will be enhanced to the next higher category if it is proven at trial that (1) the offense was committed against an elderly individual (as defined by TPC §22.04); or that (2) the actor fraudulently used identifying information with the intent to facilitate an offense under Texas Code of Criminal Procedure Art. 62.102.

Criminal Defense of Medical Identity Theft Health Care Fraud Charges

Medical Identity Theft may be prosecuted by either federal or state prosecutors.  In Texas, any individual arrested and charged for Medical Identity Theft can face potential felony charges with the possibility of several years’ imprisonment in a Texas facility along with orders to pay restitution and fines.

For anyone who suspects that they are being investigated for medical identity theft, it is imperative to aggressively defend against these suspicions as soon as possible.  Personal reputations and professional livelihoods can be irreversibly harmed by the mere gossip or innuendo of a medical identity theft charge and the earlier there is experienced criminal defense advocacy involved, the better.

After an arrest for Medical Identity Theft, it is important to implement individualized criminal defense strategies to minimize punishment through plea negotiation as well as challenging the veracity of the case as a whole as compiled by either the local District Attorney or U.S. Attorney General’s Office.  See, e.g.:


For more information, check out our web resources, read Michael Lowe’s Case Results, and read his in-depth article,” Pre-Arrest Criminal Investigations.”



Comments are welcomed here and I will respond to you -- but please, no requests for personal legal advice here and nothing that's promoting your business or product. Comments are moderated and these will not be published.

Leave a Reply

Your email address will not be published. Required fields are marked *