Medical identity theft has been compared to the wild west for hackers.
The crime is largely new and uncharted territory and happens when someone steals an individual's personal information to obtain health care.
What's worse, many victims complain the federal law intended to protect privacy known as HIPAA has made it harder for victims to get their identities back.
Medical Identity theft is a lot like credit card theft with one major difference.
A victim can cancel a card and freeze their credit, but they can't cancel their medical history.
Especially in cases of a medical emergency, experts warn a compromised medical identity could be deadly.
Important information like prescription medications, pre-existing conditions and allergies, all used by doctors to make determinations about an individual's care, can be compromised by a medical identity thief leaving victims vulnerable.
"This could have killed me," said California resident Ronnie Bogle. KING5 has been following his journey to regain his stolen identity for months.
It was stolen by his brother, Gary Bogle.
"I am severely fatally allergic to Penicillin and if they had given me that I wouldn't be sitting here," Ronnie said.
Ronnie's brother, Gary, had obtained health care under Ronnie's name at hospitals from coast to coast, in Florida, Colorado, and Washington.
"This is lung treatment, liver treatment. This is serious illnesses he has been treated for," Ronnie said.
Ronnie only discovered the fraud after thousands of dollars in emergency care landed on his credit, leaving him with the worst possible credit rating.
He was unable to obtain a loan, even a basic credit card.
"If you get denied, you automatically get your report. It was just pages and pages of hospitals all across the country," Ronnie said. "I was completely horrified."
Making matters worse, in Ronnie's case, was The Health Insurance Portability and Accountability Act, commonly known as HIPAA.
The federal law was designed to protect an individual's privacy. The law also claims to reduce fraud by requiring that health care providers keep a patient's medical records confidential.
It backfired for Ronnie.
"The moment you say identity theft, they say, 'Because of HIPAA, we can't talk to you any more,'" Ronnie said. "I'm talking about hospital, after hospital, after hospital. 'We have to protect the rights of the person that was actually treated. So, therefore Ronnie, if you are telling us this is not you, we can't talk to you any longer.'"
Hospitals refused to give Ronnie information about services received under his name, arguing HIPAA required them to protect the actual patient, in this case the thief.
The situation made it difficult for Ronnie, the victim, who the hospital was holding responsible for the bills, to determine what exactly had happened and why he was receiving bills from hospitals in states he had never lived.
Ronnie is not alone.
Last year, two separate cyber attacks on health insurers Anthem and Premera Blue Cross compromised more than 90 million Americans' personal information, leaving them vulnerable.
A 2015 report by the Medical Identity Fraud Alliance found that medical identity theft had increased about 21.7% from the year before.
"It is a bit of the wild west in the health care industry," said Ann Patterson, SVP of MIFA. She works to reduce instances of medical fraud.
Patterson says hospitals and doctor's offices are misinterpreting the law.
"Victims are entitled to their own medical records in full even if it is corrupted and has information about the thief, but there is confusion around that," Patterson said.
Now Washington Senator Patty Murray is taking on that confusion, supporting a bill to increase education about HIPAA.
She and other senators also wrote the Department of Health and Human Services pressuring it to clarify the rights of identity theft victims under the law.
"I wanted to have a clear understanding from the Department of Health and Human Services that HIPAA rules would not preclude somebody from finding out what they needed to know and the facts in the case," Sen. Murray said.
The government responded, "The individual has a right to everything in his or her own designated record set regardless of the source of the information."
"They made it very clear that when your identity is stolen you do have a right to see your records and hospitals can provide that to you," Murray said.
Ronnie's brother Gary is serving 16 months in a county jail for identity theft in California. He was extradited to the state and convicted after being arrested in Olympia.
It's a fraction of the sentence Ronnie has received at the hands of his brother.
He's still monitoring the mail for yet to be discovered unpaid hospitals bills and fighting to clear his credit.
"You have no idea the nastiness I would get in that box," Ronnie said.
Ronnie is still being denied his records by hospitals around the country.
So KING5 went to HHS for even further clarification about HIPAA.
In a statement, KING5 was told that if a hospital determines the entire record they have on file is fraudulent, rather than partially corrupted, the hospital doesn't have to turn the record over.
At that point, a victim can request an amendment to get those records of out their name and that request should be granted, or the victim can file a federal complaint.
The provider should also stop holding the victim accountable for the bills.
That has not happened for Ronnie. So he is now pursuing civil lawsuits against the hospitals.
The best thing consumers can do to avoid a similar situation is routinely check their credit and read any statements received about health care in their name very carefully.
The sooner this crime is caught, the better.
