Supreme Court: Does BIlling Fraud Violate Federal ID Theft Statutes?

Simple question: Is a user ID and password similar to an identification card like a driver’s license or a key? If I use your user ID and password to log into your account, am I committing the crime of trespass, breaking and entering or false personation? What does it mean in the law to “use” the identity of another person “without authorization?”

In 2004, concerned with the increasing problem of identity fraud and identity theft, Congress enacted a sentencing enhancement provision for people who, during the course of committing certain other felonies, “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” They referred to the statute as an “aggravated identity theft law” which focused on the use of someone’s identity “without consent” but did not specifically require that the identity be “stolen.”

In a case argued before the U.S. Supreme Court on February 27, 2023, the court is being asked to decide whether overbilling constitutes aggravated identity fraud. In particular, when a hospital or other provider, having obtained a patient’s name and other billing information, bills the government more than that which is appropriate for the patient. Where they bill for services not performed or for more money than allowed—without the “consent” of the patient. Under those circumstances, has the hospital or other provider “used” the patient’s “means of identification” in the sense that they used the patient’s name and Medicare/Medicaid number? Sure. Have they done so “without authorization?” Well, the patient authorized the use of their name to bill for services rendered, but certainly not to overbill, right? Was this use in furtherance of a felony? Probably, if the hospital knew it was committing fraud. So, is overbilling, under these circumstances, “aggravated identity theft?”

Courts are split.

In the case pending before the Supreme Court, the United States Court of Appeals for the Fifth Circuit held that the government had proven all of the necessary elements of use of the identity of the patient without authorization and that the sentencing enhancement was mandated. This is the same conclusion reached by federal courts in the Fourth Circuit. On the other hand, courts in the Ninth federal circuit and the Sixth Circuit focused not on the strict language of the sentencing enhancement statute but on its purpose—to prevent identity fraud and theft by punishing those who used a person’s identity fraudulently—not just someone who billed fraudulently using someone’s identity. The Ninth Circuit case noted that, in that case, the defendant “provided massage services to patients to treat [the patient’s] pain and then participated in a scheme where that treatment was misrepresented as a Medicare-eligible physical therapy service. … [and that the] fraudulent scheme ran afoul of other statutes—namely, health care fraud and unlawful remunerations—but not section 1028A. We hold that [the defendant] did not “use” the patients’ identities within the meaning of the aggravated identity theft statute.” Similarly, the Sixth Circuit focused on the fact that, while the services performed were “miscoded,” causing the government to pay more than appropriate for the services, the services were, in fact, provided and were provided for that patient.

On the other side, the Fourth and Fifth Circuits held that the enhancements are appropriate because the statute does not require that the identities be “stolen” or even obtained by fraud—just that they be used “without lawful authority.” When the hospital presented the government with a bill for services to patient X falsely representing the nature or cost of the services performed for that patient, the hospital or provider was “using” that patient’s identity (in the sense that their name was on the bill). Aggravated identity fraud.

While in a narrow sense, the case presents an issue for the Supreme Court of statutory interpretation—what did Congress mean, and what did they say?—in a larger sense, it represents a common problem that occurs when applying laws to technology. The law developed over hundreds of years in the “real” world—with concepts of trespass, theft, invasion of privacy and false personation developing in the law over generations. When we move from the “real” to the “virtual,” these laws—applied by analogy—often break down. Certainly, the hospitals in each of these cases submitted documentation for reimbursement which were both fraudulent and contained the names of patients. But what is “identity fraud?” Is it merely committing fraud and using someone else’s name? Or is the essence of “identity fraud” some form of misappropriation of identity—falsely “passing off” oneself as another? Would it be different if a hospital claimed to have performed services for persons on a list that they found online who were never actual patients? Is there a genuine distinction between billing a real patient for a service never performed or billing at a higher price for a service actually performed? Or, is there a difference between describing a service actually performed (for which one reimbursement rate is permitted) as a different service (with a higher reimbursement rate)? Is one of these mere fraud and the other “aggravated identity fraud?”

In statutory interpretation, words—even words we think of as being unambiguous—have meaning based on context. Courts can apply the words literally or they can try to effectuate the purpose behind those words. Were you to ask reasonable people whether billing a patient more than permitted is “aggravated identity fraud” (not just whether it’s a crime), I suggest that most would say it is not. But a formalistic application of the specific words of the statute can lead to results other than those intended by Congress.

There’s nothing new about the Supreme Court trying to figure out what Congress said and what Congress meant. What is different is that, as the technology changes, what Congress meant to do may no longer be what prosecutors and judges are doing. The case, Durbin v. United States, was argued on February 27, 2023. 

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark