Slashdot News: How to Spot and Prevent Medical Identity Theft
Foxbusiness.com | westhill consulting insurance - While credit card breaches at retailers are grabbing headlines, identity thieves are quietly homing in on an even more lucrative area: health insurance and medical records.
More than 1.8 million people in the U.S. were victims of medical identity theft in 2013, according to a survey by the Ponemon Institute released in September. That's a 19 percent increase over the previous year. "Medical identity theft is the fastest growing component of ID theft," says Drew Smith, founder and CEO of InfoArmor, a provider of business-to-business identity theft solutions.
The latest case involves the alleged theft by Chinese hackers of 4.5 million medical records from Community Health Systems, a company that runs 206 hospitals in 29 states. Thieves stole records including names, addresses, birth dates, telephone numbers and Social Security numbers. Like any type of identity theft, medical ID theft can damage your credit and cost you hours of hassles trying to clear it up. But it could also endanger your life if incorrect information appears on your medical records. Why the bull's-eye? Health information is easier to hack than credit. In April, the FBI issued a private industry notification warning to health care providers that their data networks are not as robust as those in the financial and retail sectors, and "the possibility of increased cyber intrusions is likely."
Safeguards are in the works, but the move to electronic records and the health exchanges set up under the Affordable Care Act, otherwise known as Obamacare, have opened new opportunities for fraud, both online and off. Experts say Americans can expect to see medical fraud heat up again in the months before open enrollment for 2015 government-subsidized insurance begins in November 2014.
Your medical ID: black market gold
Why would hackers bother with health insurance when they could get a direct line to your pocketbook via credit cards or financial accounts? "It's very lucrative," says Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance. "Stolen protected health information can be monetized for a much greater value than traditional financial account information."
A complete medical identity -- including name, address, phone number, Social Security number, medical insurance information and access to medical records -- is worth about $50 on the black market, says Michael Bruemmer, vice president of Experian's Data Breach Resolution group. "Without medical or insurance information, that drops to about $10 for someone's stolen information." Bruemmer's group helped resolve 1,000 health care client breaches last year, including the largest breach of HIPAA, the Health Insurance Portability and Accountability Act.
Medical identity theft usually happens on a large scale, with hundreds or even thousands of identities stolen at one time. Once hackers have a medical ID, they can use it to procure prescription drugs or expensive medical equipment or simply to commit financial fraud -- often for months or years before anyone notices. Why? Partly because people don't pay much attention to their medical or insurance records. While most of us wouldn't let a bank or credit card statement go unread, we tend to ignore the explanation of benefits (EOB) issued by our health insurance after we have a doctor's appointment or medical procedure.
'Friendly' fraud common
More than half of all medical identity theft is what's known as "friendly fraud" or "a victimless crime," according to the Ponemon Institute study. A typical example: an uninsured sibling or friend borrows your insurance card for a procedure, with or without your permission.
In 2013, the Medical Identity Fraud Alliance interviewed 800 victims of medical fraud. When asked what they would do differently, half said nothing. "Especially with the Robin Hood or 'victimless' crime, most people don't think there are consequences," says Patterson. "They say it's no big deal." Yet there is no such thing as victimless medical identity theft. "If your sister has allergies that you don't have or a different blood type, her allergies and blood type are now comingled in your records," Patterson says. If you're unconscious and need an emergency transfusion or injection, that misinformation can kill you.
That kind of consequence comes, in equal measure, from both friendly and malicious medical identity theft, yet we continue to be lax about sharing our health information. "As a society, we just look at health in a very different way than we look at our finances," Patterson says.
Detecting medical fraud before it hurts you
Sometimes it takes a questionable medical bill to alert someone of a compromised medical identity, but even that doesn't always do the trick. Many people simply ignore such bills from their insurance companies. By the time a red flag goes up, your insurance may have been used to procure prescription drugs, black-market medical equipment and emergency room visits.
The consequences can be expensive. The Ponemon Institute found that 36 percent of medical ID theft victims pay to resolve the issue, and their out-of-pocket costs average nearly $19,000. Even if you don't end up paying out of pocket, such usage can wreak havoc on both medical and credit records, and clearing that up is a time-consuming headache. That's because medical records are scattered. Unlike personal financial information, which is consolidated and protected by credit bureaus, bits of your medical records end up in every doctor's office and hospital you check into, every pharmacy that fills a prescription and every facility that processes payments for those transactions.
Bruemmer expects that will change soon, with more progressive states raising the bar. "California, in particular, has the most stringent standard for what constitutes a medical or health care breach," he says. If an individual's username and password is compromised on a health care portal there, the provider is required to notify him or her within five days, Bruemmer says. "I actually think that's the way the industry is going and there will be more regulations across more states," Bruemmer says.
Compiling a composite identity for the big scam
One small breach of information here and there may not seem like much, but each one could be adding up to something serious. "Five years ago, most hackers were looking for Social Security numbers, credit card numbers. They were going for the quick, easy fraud," says Smith. "Today, they're looking to steal someone's health credentials, insurance information, credit card account passwords, so they can continue to monetize victims' identities over a longer period of time."
"Thieves are getting smart," Bruemmer agrees. "One organization may take a username and password, another is your credit information, and another is your Social Security number. The last one may actually get your medical records. What they're doing is amassing, in three or four incidents over a period of time, the full identity stream." Bruemmer says, for example, that thieves often use hacked email accounts to gain personal information. "People say, 'Oh, it's just the username and password for my email account, I'll just change that.' You'd be surprised how many people forget and let it go. Then, all of a sudden, something really bad happens."
As with any organized crime, fraudsters jump from one channel to the next, as each locks down. "In the financial world, they jumped from hard checks to electronic to online banking, and now mobile fraud," Patterson says. "Now they're jumping from traditional financial channels into health care channels."
Like the RAM-scraping in 2013's big retail breaches, online medical fraud has become more sophisticated in recent years. Yet old-fashioned huckstering is alive and well. In July, the owner of NC Behavioral Health and Counseling Services of Durham, North Carolina, was indicted for health care fraud, identity theft and 13 other criminal charges after submitting bogus claims for at least 56 clients. Court records allege that instead of covering medical services for the patients, the owner spent the $1 million she received from Medicaid on a Cadillac Esplanade, a Mercedes and a swimming pool.