Synthetic Identity Fraud
By
David Barmak, JD CEO
Synthetic identity fraud is a combination of fabricated credentials where the implied identity is not associated with a real person. Fraudsters may create synthetic identities using potentially valid Social Security numbers (SSNs) with accompanying false personal identifiable information (PII). Our skilled nursing facility (SNF) elders are at great risk for identity theft, which has recently taken an even greater turn for the worse in terms of sophistication and extent.
Take the following hypothetical (based upon a true story presented by Valenti and Korinko in “To Snare a Menace,” Fraud Magazine, March/April 2022). Mary, an elderly short-term resident in a SNF, first knew she had a problem when a retail store called her about a credit card she had not filled out an application for. She notified the director of nursing, who in turn notified the administrator and the compliance and ethics officer. They all recognized the possibility of Mary being a victim of identity fraud, but as it turned out, it was much more complicated and sophisticated than that. Traditional identity theft might have stopped there; however, in this situation, the fraudster created many synthetic persons to obfuscate his efforts, and access and control Mary’s credit history.
The SNF learned that the identity theft involving the retail store was only the tip of the iceberg. Identity theft reports were initially made to credit reporting agencies, The goal: to try to stop the fraudster from opening many more credit card accounts. Unfortunately, and to Mary’s great consternation, she had to prove who she said she was.
Mary, with the help of the compliance and ethics officer, contacted a fraud expert who specialized in identity theft. The expert assisted Mary in placing fraud alerts with the credit bureaus. They also requested and received credit reports from all available reporting agencies. They found dubious activity in the credit reports. For example, requests for new credit cards and the opening of a bank account. She also checked for collection activity. Because all of the fraudulent attempts were in Mary’s name, they were able to see all completed applications for both credit cards and the bank account.
They notified Mary’s bank regarding her identity theft. They then discovered that the fraudster had also opened a virtual office outside her home state. This virtual office became the destination for all of her mail. Fortunately, the credit bureaus and the bank denied the fraudster’s efforts. The fraudster soon noticed that they had located the virtual office and had 1 retrieved Mary’s mail. Not to be deterred, the fraudster changed his own address with the merchants and financial institutions. The result: he continued to receive Mary’s mail in her name. He managed to set up a virtual office because the virtual office company did not require two forms of identification with the application.
How did the fraudster obtain Mary’s information? Turns out Mary reviewed apartment rentals just before entering the SNF and the fraudster worked at the company. The fraudster stole Mary’s identity from her application for an apartment. Overall, the fraudster made 110 fraud attempts using Mary’s stolen identity, many of which were successful.
The immediate efforts by Mary and the fraud expert prevented the fraudster from successfully obtaining merchandise or cash through Mary’s identity theft.
Mary and the fraud expert continued to investigate leads from the credit agencies’ information. Inexplicably, the fraudster did not retrieve the mail, including the credit cards in Mary’s name, from the virtual office. Might the fraudster be aware of Mary’s and the fraud expert’s investigative efforts? It turns out the answer was “Yes.”
Mary placed a fraud alert with the credit reporting agency. The agency told Mary that the fraud alert was unnecessary. Why? Because a fraud alert had already been placed and there was a “lock” on the account. This protection plan cost $29.95 per month. The fraudster had paid for the lock. Adding insult to injury, the fraudster paid for this service using one of the stolen credit cards. They then learned that the fraudster created, in Mary’s name, a fake Michigan driver’s license. This was used as required government identification to purchase the credit-monitoring service.
The fraudster then changed Mary’s date of birth in her credit file and blocked her access to the credit account when the file was locked by the fraudster. He also changed her home address and telephone number. Now the credit agency would end up calling the fraudster whenever it detected any dubious activity. Result – the fraudster knew every effort made by Mary and the fraud expert.
Every time the fraudster filed a fraudulent loan application, he’d lock the account while waiting for the banks and merchants to access her credit history. Mary and the fraud expert were unable to track the fraudster’s real-time efforts.
Mary continued to be victimized when the fraudster created synthetic persons. He combined Mary’s real Social Security number with a different date of birth and a fictitious name and address.
The fraudster legally changed his own name twice in one year in order to create synthetic identities and evade identification.
Fortunately, Mary and the fraud expert eventually identified the fraudster’s real name and all the synthetic persons by comparing her home address with the addresses located in the credit reports, applications to credit companies, application to the bank, and merchants.
All crimes were then referred to the local U.S. attorney’s office.
Mary then became concerned about her tax returns. What if the fraudster filed a false tax return f earlier than Mary did? What if the fraudster then received any tax refund due her? The fraud expert advised Mary to electronically file her tax return the first minute after midnight on April 15. Mary did so.
If businesses are not going to adopt better controls to protect us from identity theft, SNFs and residents must check credit reports, credit card statements and bank transactions, for suspicious activity. It is also critical to routinely shred all documents with personal information.
To safeguard the confidentiality of resident Protected Health Information (PHI), SNFs should implement an Identity Theft Prevention Program that includes the following steps:
Show covered accounts – Resident accounts and billing records that include resident identifying information are considered as covered accounts under Red Flag Rules, which are often referred to as the Fair Credit Reporting Act’s Identity Theft Rules.
Identify Relevant Red Flags – Staff must be alert for discrepancies in documents and resident information that suggest risk of identity theft or fraud and respond timely.
Monitor covered accounts for evidence of identity theft, and contact the resident, if necessary. Change passwords and security codes as appropriate. Notify law enforcement of any identified concerns.
Program Oversight – The Privacy Officer/Compliance and Ethics Officer, with oversight by the Compliance and Ethics Committee, should develop, implement, oversee, and administer an Identity Theft Prevention Program.
Approve the Identity Theft Prevention Program – Red Flag Rules require that the Identity Theft Prevention Program be approved by the Governing Body, an appropriate committee of the Governing Body, or highest executive authority (the president, owner). Reports of activity of the Program should be given to the Governing Body on a regular basis.
Provide workforce training about the Identity Theft Prevention Program on an annual basis. General training should be provided to all employees to sensitize them to the issues surrounding identity theft. Staff involved with resident registration and with resident accounts must be trained on the details of the Identity Theft Prevention Program.
Oversee Service Provider Arrangements – For any third party granted access to the covered accounts in providing services, the SNF must ensure that the activity is carried out in compliance with its Identity Theft Prevention Program. This is accomplished through a business associate agreement.
Any resident can become a victim of identity fraud, including synthetic person theft. Medical identity theft is a growing problem. Implementing an Identity Theft Prevention Program is an important activity in protecting each resident’s personal information.