Your NPI Is Easy to Steal; Here's How to Prevent That

James F. Sweeney


September 10, 2019

Six physicians were near the brink of financial disaster after a criminal stole their identities and National Provider Identifiers (NPIs).

Miguel de Paula Arias, a Florida con man, stole the identities of six retired and semi-retired physicians and ran a Medicare fraud scam that netted him more than $1.6 million over 5 years. He was eventually caught and sentenced in 2017 to 13 years in prison and ordered to pay restitution.

The innocent doctors, as a result of Arias' crimes, received bills from the Internal Revenue Service for unpaid taxes and from Medicare for repayment of the fraudulent claims. Fortunately, the situation was resolved and the physicians didn't have to pay.

Although other documents were involved, Arias couldn't have done what he did without the doctors' NPIs. The unique 10-digit identifier is assigned to physicians and other healthcare providers and organizations by the US Department of Health and Human Services (HHS). It's a part of almost every electronic transmission of health information, but NPI theft and misuse have become a danger against which physicians must protect themselves.

"It's quite a common experience in medical fraud cases," said Matt Charette, special agent in charge at the HHS Office of Inspector General. "In most cases, physicians have no idea their NPI is being used."

Your NPI Is Readily Available to Others

Many physicians are unaware of how easy it is to steal and misuse an NPI, said Zenobia Harris Bivens, a Houston attorney who defends doctors in Medicare fraud cases.

"They need to be more aware of what an NPI is and why it's so important. Once people realize how important it is, they can be more vigilant about who they share it with," she said.

Misappropriating an NPI doesn't require computer hacking skills or breaking into databases. The numbers are everywhere, including in digital communications among practices and from the Centers for Medicare & Medicaid Services (CMS), laboratories, insurers, hospitals, and other organizations. Some physicians even print them on their prescription pads.

And anyone can enter a doctor's name into a public CMS registry and get not only the physician's NPI, but other data as well, such as the NPI enumeration date and type, NPI status, whether the practice is a sole proprietorship, mailing and practice addresses, phone numbers, Medicaid ID, and state license number.

"It's enough information to commit very substantial medical fraud and commit identity theft. This is incredible starting information," said Pam Dixon, founder and executive director of the World Privacy Forum, a nonprofit organization researching data privacy.

Criminals use NPIs and other information in a variety of scams, such as medical device companies placing fraudulent orders with Medicare or a nurse or coder stealing a prescription pad and setting up a false mailing address to which opioids are delivered.

In one notorious case, a Florida couple "opened" a phony clinic and, using stolen NPIs and Medicare ID numbers, filed fraudulent prescriptions for controlled substances that were later sold on the street.

Is There Any Way to Protect Your NPI?

It's impossible to keep an NPI private. The federal government makes it so. However, although the number can't be concealed, there are steps doctors can take to keep it as private as possible.

First, they should be aware of how their practice uses doctor NPIs and with whom they're shared. In many cases, its use is required, but the practice should stop using it on documents or during transactions where it's not necessary, said Mary Ellen Seale, CISSP, founder and CEO of the National Cybersecurity Society, a nonprofit that provides cybersecurity education, awareness, and advocacy to small businesses.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.