Hot Topics
Cyberlaw Cybersecurity Data Security Featured Identity & Access Security Boulevard (Original) Spotlight 

Supreme Court to Consider Identity Theft Case

Avatar photo by Mark Rasch on November 21, 2022

William Dubin, a licensed psychologist in Austin, Texas, provided psychological services to a youth facility known as Williams House. As part of a kickback scheme with the head of Williams House, Dubin had Williams House employees conduct intake of kids admitted to the facility, and then Dubin claimed that these assessments were done by himself, a licensed psychologist. In that way, the state’s Medicaid program would reimburse Dubin at a higher rate, and he would kick back some of this money to the director of Williams House. A criminal investigation revealed that Dubin billed for services provided by a licensed psychologist and received by 300 patients totaling 1,896 hours, although those services were not performed by a licensed psychologist. This resulted in an over-reimbursement by the government. Dubin and his medical practice submitted invoices indicating that he performed X services for patient Y, which was not true, and billed the patient’s Medicaid reimbursement number. Simple fraud; and Dubin was convicted of overbilling the government.

However, in addition to charging him with defrauding the government, the prosecution also charged Dubin with aggravated identity theft/identity fraud. The federal criminal code, 18 USC 1028A, provides that, whomever, during the course of committing certain other federal crimes (including program fraud), “knowingly … uses, without lawful authority, a means of identification of another person” is guilty of an additional crime. Assuming the patients’ Medicaid reimbursement number is a “means of identification”, the question is whether the psychologist “used” this number “without lawful authority”. That’s really two questions–did the psychologist “use” the number and, if so, was this done “without authority”?

The federal appeals court for Texas had no problem concluding that the psychologist “used” the patients’ “means of identification” in the sense that they presented this ID to the government when they asked for reimbursement. They also concluded that the use was “without lawful authority”, since the psychologist never saw the patient and therefore had no authority to use their account to bill the government. So, instead of being convicted of fraud, the psychologist was convicted (and sentenced) for both fraud and for identity theft.

But does this make sense?

On October 10, 2022, the United States Supreme Court took up the Dubin case to resolve a split among the federal courts about what exactly Congress meant to punish when it passed the identity fraud statute. What does it mean to “use” the means of identification of another “without lawful authority?”

In other cases, the government has prosecuted ordinary fraud as “identity theft.” Thus, a massage and acupuncture clinic that billed Medicaid for covered physical therapy was convicted of aggravated identity theft. Puerto Rican doctors artificially inflated their grades to pass the medical boards by using a Xerox machine to copy other students passing scores (without their names) to the failing students’ exam sheets. The ID fraud? Issuing now “invalid” prescriptions (since they were not lawfully authorized doctors) to patients, which included the patients’ names. Since the unlicensed doctors had no “lawful authority” to issue the prescriptions, they had no “lawful authority” to use the patients’ names. In another case, a husband and wife who owned an ambulance company fraudulently billed Medicaid for transporting named patients to kidney dialysis “on a stretcher” (for higher reimbursement) and were convicted of identity theft. In another case, the defendant created a counterfeit handgun permit for someone else who was awaiting trial on a drug charge and could not obtain a legitimate permit. That person used the fake credential—which contained her own name and birthdate—when trying to buy a gun but was unsuccessful. In that case, the defendant was convicted of helping the woman falsely impersonate herself because he issued the fake certificate (which contained the name and birthdate) “without lawful authority.”

So what do these words mean?

Statutory Interpretation

In Through the Looking Glass, author Lewis Carroll recounted the following dialogue between Alice and Humpty-Dumpty:

“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “It means just what I choose it to mean — neither more nor less.”

“The question is,” said Alice, “whether you can make words mean so many different things.”

“The question is,” said Humpty Dumpty, “which is to be master — that’s all.”

In this case, it is important to try to understand what is meant when Congress proscribed “using” someone’s identification without authority. A normal person (that is, not a lawyer) would think that this means to–in some sense–pretend to be them, but it may go a bit further than that. For example, if I were to buy a list of Social Security numbers and addresses and file claims for Social Security benefits under those names, that would be identity theft. I would be pretending to be the recipient. This concept of “pretending to be someone you aren’t” or “pretending to have authority you don’t” is reflected in other federal criminal statutes, like the false personation of a federal official statute, which makes it a crime for anyone who “falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value…”

However, there is a difference between committing fraud that requires the name or address of a person and committing fraud by impersonating the name or address of a person. In the Dubin (psychologist) case, the federal court concluded that Dubin committed identity fraud because “Patient L’s means of identification—the patient’s Medicaid reimbursement number—was used, or employed, by David Dubin in the reimbursement submissions to Medicaid. Based upon the records provided to Medicaid for reimbursement, David Dubin asserted Patient L received services that he did not receive.” Thus, under the strict reading of the statute, Dubin “used” (submitted) Patient L’s means of identification (Medicaid number) fraudulently. If the words fit, you can’t acquit.

Context Clues

The problem is that words not only have meaning, they have to have meaning in context. Congress enacted a special “identity theft” statute to deal with a specific problem–people using other people’s identities without authorization. In fact, the House of Representatives, in considering the bill, made it clear that the legislation was intended to address “the growing problem of identity theft”, citing multiple examples of criminals making use of someone else’s personal information to pass him or herself off as another person, or the transfer of such information to a third party for use in a similar manner, like filing bogus income tax returns in others’ names, establishing credit using others’ names or applying for and receiving Social Security benefits under others’ names. Congress called out the role that data brokers and insecure websites have in contributing to the problem of identity theft, noting:

“FTC’s statistics suggest that identity thieves are obtaining individuals’ personal information for misuse not only through ‘‘dumpster diving,’’ but also through accessing information that was originally collected for an authorized purpose. The information is accessed either by employees of the company or of a third party that is authorized to access the accounts in the normal course of business, or by outside individuals who hack into computers or steal paperwork likely to contain personal information.”

At present, there is a split among the federal circuit courts; some courts take the narrow view that “identity theft” is limited to “false personation” crimes and other courts take the broader view that any time a person’s identity information is used in furtherance of a crime, this constitutes an enhanced offense.

No word yet on whether falsely using a blue checkmark on Twitter constitutes a violation of the statute.

The high Court has not yet set a briefing schedule on the case. The case is Dubin v. United States, Dkt No 22-10, October Term, 2022.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark