Medical Identity Theft a Growing Concern


Rodika Tollefson, KP News

Editor’s note: This is part 3 in our series about cybersecurity and digital privacy.

The data breach of Anthem, the second-largest U.S. health insurer, was among the major headlines of 2015. The breach, which exposed private data of as many as 78.8 million customers, was the result of a cyberattacks attributed earlier this year to someone acting on behalf of a foreign government.

While health care industry breaches of this magnitude may be infrequent, health care organizations have increasingly become the target of hackers. One of the reasons is the value of medical identity records on the dark web.

Because they have a much richer data set—everything from birthdates and Social Security numbers to physical characteristics and billing information—they fetch around $50 to $70 and in some cases as much as $500. For comparison, W-4 employee records can be bought for under $20 and credit card numbers for $1-$2.

For victims, consequences can range from misdiagnosis due to erroneous health records, to loss of insurance. In many cases, victims are also on the hook for paying thousands of dollars in bills for services they didn’t receive.

When banking or credit card accounts are compromised, or a person’s identity is stolen, there are mechanisms for raising red flags. There is no equivalent for flagging a stolen medical identity, which means bad actors can exploit it for a long time before the theft is detected.

“One of the realities of health care is that over the last five years, it has undergone a significant digital transformation,” said Thad Dickson, a Key Peninsula resident and CEO of Xpio Health, a Gig Harbor company that provides security and compliance services to health care organizations.

Thanks to this digital transformation—mandated largely by the federal government—most medical records are now electronic.

“In financial services, this was done 10-15 years ago and there was chaos in the banking industry as well,” Dickson said. “Now that we’re facing the same transition … the way have to secure those systems is evolving rapidly.”

Anyone visiting a medical provider has had to sign privacy paperwork thanks to the Health Insurance Portability and Accountability Act (HIPAA). Among other things, HIPAA requires providers to keep private patient information secure. As of June 30, the Office of Civil Rights (part of the Department of Health and Human Services) has levied more than $72 million in total fines against 52 providers and business associates for violations.

Providers must report breaches that affect more than 500 individuals. According to OCR’s database, 198 incidents were reported in 2010, the first full year of enforcement. The number rose to 296 in 2014 and 327 in 2016.

An analysis of the OCR database shows that IT/hacking has been increasingly responsible for larger proportions of the data breaches—from 16 of 208 in 2013 to 57 of 269 in 2015 and 113 of 327 in 2016. The trend is holding so far this year.

What You Can Do

While consumers can’t prevent medical identity theft, they can minimize the chances of fraud.

“Reviewing your EOBs (explanation of benefits statements) is hard work that consumers need to exercise,” Dickson said. “Make sure you’re looking at copies of your insurance bill to see what’s been covered and paid for, and make sure those are services you obtained.”

In addition to checking provider statements, a periodic review of patient records can help spot discrepancies. Many providers have online patient portals but they may not be the best avenues.

“They don’t always have complete copies, only snippets, so it’s better to get a complete printout of the medical record,” Dickson said. Under HIPAA, consumers now have a right to correct their health records.

The Medical Identity Fraud Alliance also suggests not oversharing health-related information on social media, as fraudsters are good at aggregating information. And if you’re part of the craze of using a mobile app or wearable fitness tracker, check to see how those companies are collecting, storing and using your info—they don’t fall under the same rules as medical providers.