More than a Health Sector Problem…
Medical identity theft has become a fast-growing strain of identity theft in Canada and the United States. Personal health insurance information is valuable and vulnerable. When it gets into the wrong hands it can be used to steal expensive medical services, even surgeries, and prescription drugs, or to procure medical devices or equipment such as wheelchairs. Beyond fraudulently acquiring government benefits, one’s medical identity is a commodity that can be hijacked and used to falsify insurance claims or be sold on the black market, where it can be used to create entirely new medical identities based on the data.
Devastating for the Fraud Victim
Because current consumer protections aren’t specifically designed for medical identity theft, people need to understand that they may have to take on extensive work to clear up fraudulent bills. But there’s another, far more dangerous problem with medical identity theft: The thief’s own medical treatment, history, and diagnoses can get mixed up with your own electronic health records—potentially tainting and complicating your care for years to come. And that isn’t a hypothetical problem.
A recent study by the Institute for Critical Infrastructure Technology (ICIT) called “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims” found that stolen medical data is more valuable than any other type of breached information. ICIT concluded that health care information is ten times more valuable than financial data because it has more uses, and health care fraud is more difficult to track. The bank calls you if they see charges in the system that raise an alarm, whereas medical identity theft is much easier to hide for a longer time.
Setting credit accounts back to normal can be a hassle, but your money is, for the most part, protected by the credit card industry. “Hackers realize that it is simple to cancel a credit card, (but) difficult to change a Social Security number, and nearly impossible to change all the information in an EHR”, the report states. “Once a hacker owns an EHR, they effectively own the victim.”
So-Called Friendly Fraud
Sometimes victims of medical identity theft know exactly how the crime occurred, but for others it remains a mystery. The Ponemon Institute, a private cyber¬security research firm, surveyed 1,005 people last year whose medical identity was “most likely” assumed by someone else. In the study, 10 percent of victims said their event was the result of a healthcare provider or insurer data breach, and an additional 12 percent believe they were tricked into giving up personal information via a fake email or phony website.
But 47 percent of respondents said that their identity theft was perpetrated by a relative or someone else they knew. Twenty-four percent said a relative stole their identity without their knowledge or consent. And surprisingly, the other 23 percent of respondents said they willingly shared their credentials with someone they knew. That’s why the crime sometimes is referred to as “friendly fraud.”
Most of the people who voluntarily let someone they know use their medical information (e.g. because the other person had no coverage or couldn’t afford medical treatment) said they didn’t consider their actions wrong or criminal. “They think of it as a Robin Hood crime—that no one is getting hurt and that if a family member is ill, they can help them,” says Larry Ponemon, chairman of the Ponemon Institute. “Those in our studies who did recognize it as a crime saw it as minor, like driving 5 miles above the speed limit. They don’t recognize the cost burden to insurance companies or healthcare providers, or that it ultimately ends up in the lap of consumers.”
Knowingly allowing a friend or relative to use your health insurance is illegal, an act of fraud against insurance companies and health providers, as well as the government in the case of services covered by public health insurance.
Electronic Health Records and Breaches
As recently as 6-8 years ago, your medical information was kept in paper files, but now it has a more robust virtual life—in electronic health records and in details you share online. All of that can increase the likelihood that the wrong people could gain access to your data. Big data breaches in the healthcare industry have been on the rise over the past decade, including the hack of U.S. health insurer Anthem in 2015, when about 70 million of its records were reportedly stolen. The Ponemon Institute revealed in May of this year that nearly 90% of healthcare organizations in the U.S. suffered data breaches in the past two years, costing the healthcare industry about $6.2 billion.
A huge problem stems from the health care industry’s lax efforts to boost cybersecurity. “The health care sector trivialized threats and ignored cybersecurity for too long. Now it is plagued by ransomware attacks, data leaks and patient database breaches, unauthorized medical network access, compromised medical devices and copious amounts of insider threat and social engineering based fraud,” states the ICIT report. Unfortunately, many health organizations are poorly managed in terms of privacy. Boards of directors are often donors and very few have any type of privacy experience. Privacy officers are systemically under-resourced and are not given the voice and decision-making power they need. They need the budget and clout to actually get those privacy programs initiated, and to get the technology they need. Meanwhile, old technology is attached to a network without a security framework or threat risk assessment. So the health care industry continues to be a soft target for hackers.
Most at Risk for Medical Identity Theft
What industry analysts do know is that some people are more likely to become targets. According to nonprofit World Privacy Forum, older adults might be more susceptible to scams because they tend to be less circumspect about giving up personal health information. Children’s health records are aggressively pursued by criminals, it turns out, because a minor’s credit report—which would list unpaid debts—isn’t usually seen by parents until a child is old enough to secure credit in his or her name.
Anyone who casually puts a lot of personal information on social media sites and apps, such as might attract medical identity thieves, too, explains Pam Dixon, Executive Director of the World Privacy Forum. “Criminals are very good at aggregating social media information and pairing it with health and other data they’ve gotten, like dates of birth and addresses.”
Be Proactive – Scrutinize your Records
Consumer Reports suggests a few basic ways you can safeguard your medical privacy and identity: Read those explanation of benefits letters as if they were bank statements. Carefully check all of the correspondence you receive from health insurers and healthcare providers for accuracy and for bills of service that you don’t recognize. Also review your credit reports for unfamiliar debts.
As long as the health sector is behind on the data security front, individuals need to stay extra vigilant.
If you are a health organization looking to improve your security posture, contact PRIVATECH.