New York (dbTechno) - Following a federal investigation into the New York Presbyterian Hospital/Weill Cornell Medical Center, it has been revealed that 40,000 hospital patients have been victims of identity theft.

Authorities do not believe that any health-related information was involved in the identity theft. What was stolen from the patients though was their social security numbers, phone numbers, names, etc.

The hospital is currently working on contacting all 40,000 patients who were impacted by the identity theft.

They have also set up a phone line to field questions about the situation.

Hospital spokesperson Myrna Manners stated that the hospital is not aware as of yet that any patient has been a victim of financial fraud or anything of that nature due to the thefts.

There has yet to be any information as to who stole the data, how, etc.

The 40,000 patients were all treated in the hospital within the last two years.

The investigation also included an internal audit of the hospital. No information in that regard was revealed.

Catching a medical identity thief is extremely difficult, but clearing your name, medical and financial records may be almost impossible, law enforcement and privacy experts say.

Once false medical information is merged with true medical records, the damage can be catastrophic, the experts say.

Unraveling the paperwork nightmare is further complicated by federal privacy laws and the growing popularity of electronic medical recordkeeping, said Pam Dixon, executive director of the World Privacy Forum, which has studied this subcategory of identity theft.

Altered health records can cause someone to fail a pre-employment medical screening. A person can be rejected for health insurance for a pre-existing medical condition he doesn't have or because other records say the person has other medical coverage.

Unpaid medical bills can show up on credit reports or be sent to collection agencies. People can be denied care because records show they previously received a prescription or treatment. And a person can seek treatment and learn she has reached her benefits cap.

Wrong medical information also can put victims at risk for injury or death if they enter a hospital ER unconscious or incapacitated, officials say.

Unlike standard identity theft — where consumers can file warnings with credit bureaus — victims have no clear pathway for recourse and recovery.

There's no central reporting agency where medical professionals can learn of medical privacy breeches. No mechanism is in place to warn healthcare providers or insurers when a stolen medical identity is used out of state.

The trail of false information in medical records can follow a person for years because it's almost impossible to find every place it's circulated, from doctors to medical labs to hospitals.

With the growing use of electronic record keeping, wrong medical information can be duplicated and disseminated endlessly through computer networks, healthcare providers and medical information sharing pathways, Dixon said.

The federal Health Insurance Portability and Accountability Act, which is designed to protect personal health information, can obstruct attempts to correct records, Dixon said.

The federal law gives healthcare providers and insurers 90 days to respond to requests to change medical records. If they disagree with the request, they don't have to change the record. Victims can also be denied access to their medical records under HIPPA if they're intermingled with an impersonator's health information.

This year, the federal Identity Theft Task Force added medical identity theft to its strategic plan, and some states are looking at enacting medical data breach laws that would require healthcare providers and insurers to notify customers when patient data is improperly accessed or released, Dixon said.

Some providers with the Kaiser Permanente health network now also require patients to show a driver's license and the program's health card for service, according to a 2006 World Privacy Forum report on identity theft, the first and only comprehensive report of its kind.

After a case of medical identity theft occurred at the University of Connecticut Health Center, mandatory driver's license checks were implemented for patients. Health center staff told World Privacy Forum researchers that approximately a dozen people each week attempted to impersonate beneficiaries.

Locally, Lower Bucks Hospital in Bristol Township and St. Mary Medical Center in Middletown require patients to present photo identification when they register for services, including emergency room visits. Abington Memorial doesn't ask patients for photo ID in its ER. Holy Redeemer in Abington and Frankford hospitals didn't respond to requests for information.

Demanding photo identification will do almost nothing to stop most medical identity theft since it's most often perpetrated by healthcare workers without the victim's knowledge, Dixon said.

Independence Blue Cross credits or disburses recovered money to fraud victim accounts, and it works with customers to fix medical and claim histories. Aetna has a field unit devoted to correcting medical records of identify fraud victims.

Mike Stergio, Aetna's special investigations unit, acknowledged only in-house insurance records can be corrected. It's why he sees a need for national safeguards and information clearinghouses similar to what exists for standard identity theft victims.

“There are so many ways to do it, some are easier to fix than others,” he added. “It's the only way to stop it.”