Supreme Court Hears Healthcare Identity Theft Case
Case Involved Use of a Patient's Name to Overbill Medicaid
Marianne Kolbasuk McGee (HealthInfoSec) • February 28, 2023
Credit Eligible
Supreme Court Hears Healthcare Identity Theft Case
The U.S. Supreme Court this week heard a case challenging what constitutes identity theft in healthcare fraud. (Image: Getty Images)
Justices on the U.S. Supreme Court seem ready to restrict federal prosecutors' use of a federal law criminalizing identity theft after hearing a case challenging its application in a Medicaid fraud case.
See Also: OnDemand | Navigating the Difficulties of Patching OT
Traditional identity theft involving appropriation of personal information for criminal ends, such as obtaining fraudulent prescriptions or submitting fake insurance claims, is a long-standing problem. The case before America's highest court wasn't about identity theft in that sense. Federal prosecutors in Texas successfully used the aggravated identity theft statute to add two years to the sentence of a man convicted of overbilling Medicaid for mental health services provided by the Austin company he co-owned.
David Dubin received a one-year prison sentence for the overbilling and a two-year mandatory sentence for identity theft because he used a patient's name while submitting exaggerated claims to Medicaid. Federal prosecutors obtained the conviction by pointing to statute language making it a felony to use "without lawful authority" another person's identity - and by saying that Dubin acted outside the law by submitting a false claim in the patient's name. The patient is a minor identified in court proceedings only as "Patient L."
Dubin's defense told the Supreme Court that's a misreading of the law. The law criminalizes using "another person’s name without permission that was lawfully acquired" - actions that hew to the traditional concept of identity theft, his attorneys wrote in their appeal to the Supreme Court.
Legal experts say a ruling in the Dubin case will be important on several levels, including in the prosecution of other cases involving the criminal use of a patient's protected health information moving forward.
During oral argument Monday, Jeffrey Fisher, representing Dubin, told the justices that his client's conviction "stretches the aggravated identity theft statute beyond its breaking point."
Identity theft "has to be a lie about who receives services or who obtains services, not a lie about how those services were rendered," he told the nine justices. If the government prevails, "it would transform fraud prosecutions to having every one of them be essentially an aggravated identity theft prosecution, too."
Dubin did not use the patient's identity without lawful authority, Fisher argued. "He had permission to use Patient L's identity to bill Medicaid for psychological services, and that's precisely what he did."
The justices picked at the argument, questioning other potential examples of authorized use of identity versus potential identity theft committed in other fraud scenarios.
"If the government's theory is correct and every time I order salmon at a restaurant I'm told it's fresh, but it's frozen, and my credit card is run for fresh salmon, that's identity theft," said Justice Neil Gorsuch.
They also questioned Vivek Suri, a Department of Justice attorney there to represent the government's case. Justice Clarence Thomas asked Suri: "What if the fraudulent Medicaid claim involved rounding up the time billed from 2.5 hours to three hours?"
"Would that be sufficient to violate this provision?” he asked, and Suri replied it would. "I appreciate that that may seem an unattractive result," he said.
"Well, I think 'unattractive' is an understatement," Thomas responded.
Other Avenues for Prosecution
If justices restrict application of the identity theft statute in cases such as Dubin's, prosecutors will still have other legal avenues to pursue, says Rachel Rose, a regulatory attorney. For example, HIPAA criminalizes disclosure of a patient's protected health information for the submission of fraudulent healthcare claims, she says.
Criminal HIPAA disclosures have been at the center of other high-profile healthcare cases, including a complex federal healthcare fraud case prosecuted several years ago against pharmaceutical maker Warner Chilcott (see: Guilty Plea in Rare HIPAA Criminal Case).
"Regardless of whether aggravated identity theft allegedly occurred, False Claims Act liability, which the government may choose to make criminal, is the underlying cause of action in the Dubin case," Rose says.
Marianne Kolbasuk McGee (HealthInfoSec) • February 28, 2023
Credit Eligible
Supreme Court Hears Healthcare Identity Theft Case
The U.S. Supreme Court this week heard a case challenging what constitutes identity theft in healthcare fraud. (Image: Getty Images)
Justices on the U.S. Supreme Court seem ready to restrict federal prosecutors' use of a federal law criminalizing identity theft after hearing a case challenging its application in a Medicaid fraud case.
See Also: OnDemand | Navigating the Difficulties of Patching OT
Traditional identity theft involving appropriation of personal information for criminal ends, such as obtaining fraudulent prescriptions or submitting fake insurance claims, is a long-standing problem. The case before America's highest court wasn't about identity theft in that sense. Federal prosecutors in Texas successfully used the aggravated identity theft statute to add two years to the sentence of a man convicted of overbilling Medicaid for mental health services provided by the Austin company he co-owned.
David Dubin received a one-year prison sentence for the overbilling and a two-year mandatory sentence for identity theft because he used a patient's name while submitting exaggerated claims to Medicaid. Federal prosecutors obtained the conviction by pointing to statute language making it a felony to use "without lawful authority" another person's identity - and by saying that Dubin acted outside the law by submitting a false claim in the patient's name. The patient is a minor identified in court proceedings only as "Patient L."
Dubin's defense told the Supreme Court that's a misreading of the law. The law criminalizes using "another person’s name without permission that was lawfully acquired" - actions that hew to the traditional concept of identity theft, his attorneys wrote in their appeal to the Supreme Court.
Legal experts say a ruling in the Dubin case will be important on several levels, including in the prosecution of other cases involving the criminal use of a patient's protected health information moving forward.
During oral argument Monday, Jeffrey Fisher, representing Dubin, told the justices that his client's conviction "stretches the aggravated identity theft statute beyond its breaking point."
Identity theft "has to be a lie about who receives services or who obtains services, not a lie about how those services were rendered," he told the nine justices. If the government prevails, "it would transform fraud prosecutions to having every one of them be essentially an aggravated identity theft prosecution, too."
Dubin did not use the patient's identity without lawful authority, Fisher argued. "He had permission to use Patient L's identity to bill Medicaid for psychological services, and that's precisely what he did."
The justices picked at the argument, questioning other potential examples of authorized use of identity versus potential identity theft committed in other fraud scenarios.
"If the government's theory is correct and every time I order salmon at a restaurant I'm told it's fresh, but it's frozen, and my credit card is run for fresh salmon, that's identity theft," said Justice Neil Gorsuch.
They also questioned Vivek Suri, a Department of Justice attorney there to represent the government's case. Justice Clarence Thomas asked Suri: "What if the fraudulent Medicaid claim involved rounding up the time billed from 2.5 hours to three hours?"
"Would that be sufficient to violate this provision?” he asked, and Suri replied it would. "I appreciate that that may seem an unattractive result," he said.
"Well, I think 'unattractive' is an understatement," Thomas responded.
Other Avenues for Prosecution
If justices restrict application of the identity theft statute in cases such as Dubin's, prosecutors will still have other legal avenues to pursue, says Rachel Rose, a regulatory attorney. For example, HIPAA criminalizes disclosure of a patient's protected health information for the submission of fraudulent healthcare claims, she says.
Criminal HIPAA disclosures have been at the center of other high-profile healthcare cases, including a complex federal healthcare fraud case prosecuted several years ago against pharmaceutical maker Warner Chilcott (see: Guilty Plea in Rare HIPAA Criminal Case).
"Regardless of whether aggravated identity theft allegedly occurred, False Claims Act liability, which the government may choose to make criminal, is the underlying cause of action in the Dubin case," Rose says.