Doctors Targeted in Identity Theft Scheme
Cover Story — August 2014
Tex Med. 2014;110(8):20-25.
By Kara Nuzback
A nationwide identity theft scheme is targeting physicians and leaving the Internal Revenue Service (IRS) liable for hundreds of thousands of dollars in fraudulent tax refunds.
Dallas plastic surgeon Kathryn Duplantis, MD, says she found out she'd been targeted in the tax fraud scheme in March, when the IRS sent her a letter saying it had received her return for 2013 and needed more information.
"I hadn't even filed my tax form yet," she said.
Dr. Duplantis says she immediately called the IRS, which had not yet issued a refund in her name. The IRS agent she spoke to deleted the fraudulent refund request and instructed her to file a paper form, she says.
An accountant has filed Dr. Duplantis' taxes electronically for years.
"We've never had this issue before," she said.
For the past five years, attorney and retired neurological surgeon Clark Watts, MD, of Georgetown, also has hired an accountant to file his taxes electronically through the IRS website. Like Dr. Duplantis, he says this year the IRS would not accept his tax forms.
Dr. Watts says the agency told him someone had already filed a return using his Social Security number.
"That was news to me," he said.
As of June, more than 100 Texas Medical Association members notified the association someone had stolen their Social Security numbers and attempted to claim their tax refunds. The association has learned the crime's victims also include physician assistants, advanced practice registered nurses, dentists, podiatrists, and pharmacists. Texas is one of 49 states and the District of Columbia affected by this con.
IRS spokesperson Lea Crusberg says she does not know how many Texas physicians were victims of this year's scam.
"While we are prohibited by federal law from discussing any individual's private tax matters, identity theft remains a top priority for the IRS," she said.
Dr. Watts says he does not know if the IRS issued a check to the person who filed under his name, but he says he overpaid $10,000 to the IRS in 2013.
"We didn't ask for a return. We told them to apply it to next year's taxes," he said. "I don't know what the status is at this point."
Dr. Watts says he doesn't know how the perpetrator got his Social Security number.
The American Medical Association reports it's working with federal officials in the investigation, headed by the IRS and the U.S. Secret Service. At press time, authorities had not identified the source of the data breach.
Brian Krebs, former Washington Post reporter and author of KrebsOnSecurity.com, reports in an article on the tax fraud scheme affecting doctors that the data breach could have occurred at a national organization that certifies or provides credentials to physicians.
In the article, Mr. Krebs notes the scheme comes on the heels of the Centers for Medicare & Medicaid Services' (CMS') release of payment information for 880,000 health care professionals nationwide.
The release included the national provider identifier (NPI) number of each physician. However, he points out, NPI numbers have long been available through CMS, and the payment information CMS made public did not include physicians' Social Security numbers.
The Secret Service recommends all physicians, regardless of whether they have been victimized, visit www.experian.com/fraud and place themselves on a 90-day credit fraud alert. This could potentially slow or halt further attempted identity theft activities. While not every physician is at risk of identity theft, this is a suggested precautionary measure.
Please notify TMA if you have been victimized by this scheme. The association can then convey the scope of the situation to the proper authorities. Contact the TMA Knowledge Center by telephone at (800) 880-7955 or by email.
A National Problem
Medical societies across the country have reported higher-than-normal rates of health care professionals being targeted in this scheme.
According to the medical societies of North Carolina, New Hampshire, Vermont, Connecticut, and Michigan, more than 100 health care professionals in each state were victims of this year's tax refund fraud scheme.
"They had to have gotten our information nationally somehow," Dr. Duplantis said. "I'm thinking it might be Medicare. Every physician is involved in Medicare somehow."
Officials at CMS declined to comment for this story.
At its annual meeting in June, AMA adopted a new policy as a result of the surge in tax return fraud cases among physicians. The association is requesting IRS and CMS adopt regulations prohibiting the use of Social Security numbers by insurers, health care vendors, and other government agencies.
In a press release, AMA Board Chair Barbara McAneny, MD, said, "We believe the IRS should adopt policies that would ensure greater security protection for electronically filed federal income tax returns including the use of universal PINs, or personal identification numbers, that would help curb the incidence of identity theft and the filing of fraudulent federal income tax returns."
AMA offers the following guidance for physicians affected by this scam:
- File a paper return, and attach a Form 14039 Identity Theft Affidavit to explain what happened.
- Attach copies of the 5071C letter and any other notices from the IRS to your tax return. If you have not received notice from the IRS but believe your personal information may have been used fraudulently, call the IRS Identity Protection Specialized Unit at (800) 908-4490.
The North Carolina Medical Society (NCMS) suggests contacting the following agencies if you learn your Social Security number has been used fraudulently:
- File a complaint with the Federal Trade Commission (FTC), which recommends other immediate steps and provides helpful information on its website.
- File a local police report. Provide all documentation available, including any state and federal complaints you filed. This likely will be necessary if financial account fraud occurred as a result of the identity theft. If the fraud is solely tax-related, however, the police report will be necessary only if the IRS requests it.
- Call the Social Security Administration's (SSA's) fraud hotline at (800) 269-0271 to report fraudulent use of your Social Security number. In case your number is being used for fraudulent employment, you also can request your Personal Earnings and Benefit Estimate Statement on the SSA website or call (800) 772-1213. Check it for accuracy.
- Consult the U.S. Department of Justice website for additional information on fraud and identity theft.
Lucky for physicians, the IRS is responsible for issuing refunded taxes to the correct person, regardless of whether the agency already issued the money to a fraudster. But Dr. Duplantis says even if the IRS issues the correct refund to victimized physicians, "that's just taking money out of the taxpayers' pockets."
According to a 2013 report from the U.S. Treasury Inspector General for Tax Administration, the IRS issued about $4 billion in fraudulent tax refunds in 2012.
ThreatMetrix, a cybercrime prevention company, released a report in March estimating another $4 billion in fraudulent tax refunds during the 2013 season.
San Antonio accountant John Bruce, a partner at accounting firm BKD, LLP, says between 65 percent and 70 percent of his clients are in the medical industry.
"Prior to this year, I had zero fraudulent returns filed using my clients' Social Security numbers. This year, I had two clients that we received electronic filing rejection notices for because someone had already filed returns using their identification information, but only one of the two was a physician," he said.
Mr. Bruce says he was unaware physicians were being disproportionately affected. To avoid falling victim to the scheme, he advises setting up a PIN with the IRS. Taking such a measure stops the IRS from processing an electronic tax return without the PIN.
Allan Bachman, education manager for the Association of Certified Fraud Examiners (ACFE), says the problem of tax return fraud this year might not be worse than in years past, but the medical community appears to be a major target this tax season.
According to TMA's Knowledge Center, a handful of TMA members reported they had fallen victim to a similar tax scheme when filing in 2012 and 2013. But the majority of members victimized by the scheme this year reported being targeted for the first time.
"Physicians are high-income earners. They become very attractive targets," Mr. Bachman said.
The trick to avoiding the scam next year, he says, is beating identity thieves to the punch.
"File early — the earlier, the better," he said.
Once identity thieves have your personal information, they can open a debit card in your name. If the thieves complete your tax return before you do, they can request a direct deposit into the debit account and easily take your tax refund out of an ATM.
A TMA member and family physician in Houston, who requested anonymity, says he tried to file his taxes in April through the online service TurboTax.
"I've used it several times in the past," he said. "However, it's the first year I've ever sent it electronically."
Within 24 hours, he says TurboTax sent him an email saying the IRS had rejected his filing.
"Basically, it says they've already gotten my tax return," he said.
The IRS instructed him to print his tax return and file it by paper before April 15. "I'm always the last to file because I have to pay every year," he said.
One month later, he read the article "Tax Fraud Scheme Affects Texas Physicians" in TMA's Action newsletter.
"My antennas went up, and I said, 'This is what happened to me,' " he said.
He called the IRS Identity Protection Specialized Unit using information provided in the Action article. He says the IRS agent asked him questions that only he would be able to answer. When the IRS had confirmed his identity, the agent explained what happened.
"It turns out that earlier in April, a return had been filed electronically using my name, my Social Security number, and a different address, but requesting a refund," he said.
He then filled out an identity theft affidavit alerting credit bureaus of his stolen information. He says he also called his credit card company, American Express, which told him to get a letter confirming the theft from the IRS, take it to the police, and use it as evidence to file a police report.
American Express also advised him to send a copy of the letter to the credit bureau, which would notify him of any use of his Social Security number.
The physician says now that his personal information is out there, he is worried someone could use it for more fraud attempts and lower his credit score.
"My fear is that credit card accounts could be opened," he said.
Mr. Bachman says the fear is legitimate, but most scam artists specialize in only one type of fraud.
"I'm not saying they do not do other things with the information, just that it's not all that common," he said.
Plus, the information's shelf life has a limit because once victims find out about the theft, they typically take steps to protect the information and notify authorities, Mr. Bachman says.
Physicians should remain vigilant and take basic steps to protect their personal information and patient data, Mr. Bachman says.
The Federal Bureau of Investigation offers tips to help you protect your personal identity from thieves. (See "Protect Your Identity.")
Mr. Bachman says identity thieves willing to pay for patient or physician information often approach medical employees.
A U.S. district court judge sentenced a Georgia woman to 27 years in prison in January after she pleaded guilty to stealing the identities of nursing home patients and using the information to file fraudulent income tax returns.
Dr. Duplantis says she enrolled herself and her elderly parents in LifeLock, an identity theft protection company based in Arizona. She contacted the company immediately after she found out someone stole her personal information, and LifeLock put a barricade on her name and Social Security number.
Now, she said, "No one can get money in my name unless they approve it through me."
Dr. Duplantis says the service costs a couple hundred dollars a year.
"It's cheap," she said. "It's worth having."
More information on LifeLock is available on the company's website. Similar services are available from Identity Guard, Identity Force, Trusted ID, and a bounty of other identity protection companies.
Most of the services charge between $10 and $24 per month, and many include a free initial trial period.
According to the IRS, physicians who fell victim to this year's scheme are at risk of being targeted in the future. Drs. Watts and Duplantis say the IRS gave them each a PIN number to use when filing tax returns next year so the agency would know if someone tried to file another fraudulent return.
Kara Nuzback can be reached by telephone at (800) 880-1300, ext. 1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.
Protect Your Identity
The Federal Bureau of Investigation offers several steps you can take to make it harder for thieves to steal your personally identifiable information:
- Check your credit report regularly.
- Don't carry around your Social Security card or any document containing your Social Security number.
- Shred documents that contain sensitive information.
- Only provide your personal information when absolutely necessary. Also, keep track of who has your information, as it could help determine the source of a breach if you become a victim of identity theft.
- Use firewalls and antivirus software to protect your personal computers.
- File your taxes as early as possible. Criminals file their fraudulent returns early to obtain refunds before the legitimate filer submits a return.
- If you're not required to file a tax return, file one anyway to prevent someone else from filing a false return in your name and to be alerted in case someone has already filed a false return in your name.
Source: Federal Bureau of Investigation
Note: Legal articles in Texas Medicine are intended to help physicians understand the law by providing legal information on selected topics. These articles are published with the understanding that TMA is not engaged in providing legal advice. When dealing with specific legal matters, readers should seek assistance from their attorneys.
August 2014 Texas Medicine Contents
Texas Medicine Main Page