April 22, 2014

An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians.

taxfraudScott Colby, executive vice president of the New Hampshire Medical Society, said he started hearing from physicians in his state about a week ago, when doctors who were just filing their tax returns began receiving notices from the Internal Revenue Service that someone had already filed their taxes and claimed a large refund.

So far, Colby has heard from 111 doctors, physician assistants and nurse practitioners in New Hampshire who have been victims of tax fraud this year.

“I’ve been here four years and this is the first time this issue has come across my desk,” Colby said.

In this increasingly common crime, thieves steal or purchase Social Security numbers and other data on consumers, and then electronically file fraudulent tax returns claiming a large refund. The thieves instruct the IRS to send the refund to a bank account that is tied to a prepaid debit card, which the fraudster can then use to withdraw cash at an ATM (for more on how this works, see last week’s story, Crimeware Helps File Fraudulent Tax Returns).

Unlike the scam I wrote about last week — which involved the theft of credentials to third-party payroll and HR providers that are then used to pull W2 records and file bogus tax returns on all company employees — the tax fraud being perpetrated against the physicians Colby is tracking is more selective.

“We’ve done a broadcast to all of the hospital systems in the state, and I have yet to receive one [victim] name from a non-clinician,” Colby said. “And you would think if it was an HR or payroll issue that at least a couple of administrative, non-clinical folks would have been in the mix, but that is not the case.”


Colby said he’s heard similar reports from other states, including Arizona, Connecticut, Indiana, Maine, Michigan, North Carolina and Vermont.

Elaine Ellis Stone, director of communications at the North Carolina Medical Society, said her organization has been contacted by more than 100 individual doctors and medical practice managers complaining about tax fraud committed in the names of their doctors and other medical staff.

“We’ve been getting a lot of calls from people who’ve experienced this scam,” Ellis Stone said. “We don’t yet know exactly why this type of crime is surfacing so much this year, but we haven’t seen this kind of volume in years past.”

Ellis Stone said that initially, the medical society thought the tax fraud incidents might be related to a move last week by Medicare’s first-ever release of information on payments to some 880,000 medical providers nationwide. As part of that data dump, the Centers for Medicare and Medicaid Services listed the National Providers Identification (NPI) number of each doctor; NPI numbers are used by the federal government to keep track of physicians for Medicare and Medicaid billing purposes.

She said initially when her organization reached out the American Medical Association (AMA) to see if they had any theories about the source of the fraud, someone suggested that the recent release of so many NPI numbers may have allowed thieves to somehow look up Social Security numbers and other sensitive data on doctors. But according to Ellis Stone, those NPI numbers have long been available from the U.S. Centers for Medicare and Medicaid. 

Robert Mills, the AMA’s media relations coordinator, confirmed that the association is hearing from state medical societies that tax identity theft seems to be a greater problem this year than in the past. But he stressed that this scheme seems to be targeting professionals generally, not just physicians.

That’s my take on this as well: There may indeed have been some kind of breach of a physician database that fueled this year’s fraud surge against doctors, but my hunch is that we might also see the same sorts of stats being gathered by state organizations focused on other professions. In other words, the incidence of this type of crime is likely off the charts this year.

That said, a story I’m working on for later this week will examine tax fraud schemes committed by a crime gang that appears to be disproportionately targeting employees at several state healthcare organizations.


According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

Tax fraud is an especially insidious form of identity theft because thieves often also create new financial accounts in their victims’ names. That’s because the same information used to file tax returns on someone can be useful in opening up new credit card and loan accounts.

“Some of the docs I’ve spoken with also have received notification that someone is trying to set up new bank accounts in their name,” New Hampshire’s Scott Colby said.

What’s more, victims of tax fraud one year may also find they are targeted by thieves again the next tax season.

Gordon Smith, executive vice president of the Maine Medical Association, said his office has heard from approximately 30 physicians in his state about tax fraud over the past couple of weeks.

“Their stories are all very similar,” Smith said. “I talked to one [doctor] who had this happen to him two years in a row now.”

If you become the victim of identity theft, either because of tax fraud — or due to fraud outside of the tax system — you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

66 thoughts on “States: Spike in Tax Fraud Against Doctors

  1. Barbara Duck

    Interesting the question went the direction of the MD NPI numbers as they are out there all over the place. Billing fraud folks look for NPIs on doctors who are dead and haven’t been purged and some thieves luck out and the fraudulent claims fly right on through.

    Healthgrades and Vitals, those MD directories riddled with errors helps thieves too as they are not updated so gives them hints on where to go sometimes. About 3 years ago the AMA and I had a nice conversation about my former MD who had been dead for 8 years still listed as taking new patients and it goes on and one. Michael Jackson’s doctor after he long left Beverly Hills and filed bankruptcy was left on there forever. I’ve been on a mission to somewhat get rid of those folks as they are just collecting ad exposure revenue from clicks and don’t really care about content.

    Anyway another avenue thieves can check out as chances are if they are still on these sites, Medical boards have not removed them either as that is one of the resources they use.

    Correct there are tons of places to where MD information can be stolen and a lot of the time it’s a 3rd party vendor doing something they should be, lie Accretive sharing actual patient records with Wall Street broker for one.

  2. MZ

    Doctors are already earning good, not sure why they need to steal tax

  3. John barton

    It seems to me the theft happened to the IRS and not the doctors. The doctors had nothing to do with it. It’s simply a matter that we ve accepted the premise that the consumer has been defrauded when its actually the organization that’s been scammed . Identity theft is pushing the cost of fraud from organizations that are scammed to the consumer. If the organizations were completely responsible then they would take more care to protect themselves.

    Social security numbers are a completely insecure way of identifying people. Organizations that use them don’t understand security and are partly responsible for the identity theft situation consumers now face.

  4. GW

    What if Social Security Numbers were not to be used for identification – as it used to be (and may still be) written right on the issued cards?

    1. AlphaCentauri

      When the system was created, there was a very strong sentiment that the Social Security card was not to become a “national ID card,” something Americans associated with totalitarian states. But lacking any other way to track people in a mobile society, that’s exactly what it has become.

  5. Dag Jensen

    You can add me to your list of physicians who have had their identity stolen this year. I am the victim of the exact scenario described in your article. I am thankful that the IRS recognized this as a tax fraud.

    Thanks for the article.

Comments are closed.