Tag Archives: medical records

Why Medical Records Are Easy to Hack

If hacked credit and debit card account numbers are like gold in the cyber underground, then stolen healthcare records, containing patient information, are like diamonds.

Private details such as Social Security numbers, birth dates, physical descriptions and patient account numbers historically have been recorded on paper and stashed away in physical file folders and cabinets.

But the Internet all too rapidly has become our hub of commerce and social interaction. And that shift has included a mandate by the federal government to go paperless. The result: Healthcare records now exist in digital form, stored in ways that make them easy to hack.

Infographic: The ripple effect of medical identity theft

The criminal opportunities have not escaped organized cyber crime gangs that are stepping up hacking and stealing.

The Ponenom Institute found that many healthcare organizations get attacked multiple times each year, suffering losses ranging from several thousands of dollars to more than $1 million per incident. The total loss to the industry can be as much as $5.6 billion annually.

“In the dark Internet, there seems to be more activity around the theft of medical information, not just to commit medical identity fraud, but to farm that data for a very long time (for other purposes),” says Larry Ponemon, chairman of Ponemon Institute, which has been conducting medical identity theft research since 2010.

More: Protecting your digital footprint in the post privacy era

Stolen healthcare data can be worth 10 to 50 times more than payment card data in the cyber underground. Electronic health records fetch around $50 per record, according to the FBI. Some experts put that number as high as $500 for some type of medical records.

Credit and debit card numbers, by contrast, can sell for as little as $1 to $2 per account number.

“There’s an enormous online marketplace for these records,” says Kurt Stammberger, senior vice president of marketing at Norse, a security company that monitors malicious and criminal Internet traffic. “It’s like eBay — people bid, and there’s a ‘buy now’ price.’ ”

Costly exposures

Healthcare companies are taking major financial hits—and writing off this exposure as an extraordinary cost of doing business. Details on the pain level for breached companies are surfacing, thanks to data breach disclosure rules under the Healthcare Insurance Portability and Accountability Act (HIPAA.) For instance:

  • WellPoint, a managed-care company, settled a case with the U.S. Department of Health and Human Services for $1.7 million last year. WellPoint allegedly left electronic records of more than 600,000 people accessible over the Internet because of a security weakness.
  • New York and Presbyterian Hospital and Columbia University agreed to a $4.8 million settlement earlier this year after substandard security led to 6,800 patient records becoming accessible by search engines online.
  • Individual consumers are getting harmed financially, as well, to the tune of $12.3 billion last year. Ponemon’s 2013 Survey on Medical Identity Theft found that more than one third of victims paid an average of $18,660 out of pocket to recover from data theft. That included being compelled to reimburse healthcare providers for services supplied to an impersonator.

    Prevention hurdles

    Healthcare experts, privacy advocates and law enforcement officials acknowledge that the fundamental problem is mushrooming and won’t be easy to stabilize.

    Part of the challenge is financial. The Affordable Care Act mandates that providers expend 80% to 85% of premiums on quality care—and that doesn’t include any provisions to prevent services from going to an identity thief.

    According to Forrester Research, only 18% of healthcare organizations’ tech spending budget goes to security, compared with 21% across all sectors. And most providers plan a minimal or zero increase in budget.

    More: 3 steps for figuring out if your business is secure

    “The mission of healthcare providers is to take care of patients, and anything that can interfere with patient care takes a back seat,” says Paul Asadoorian, product-marketing manager at vulnerability management vendor Tenable Network Security. “Security is one of those things.”

    Meanwhile, individual victims of healthcare data theft can be left twisting in the wind.

    The financial services industry maintains a central database where stolen identities can be flagged; the healthcare industry has nothing of that sort. In fact, it even lacks a simple standard for authenticating the identity of anyone who steps forward to request patient care.

    There is no standardized practice for assuring the identity of a patient via an insurance ID card combined with another form of ID, observes Ann Patterson, senior vice president and program director for Medical Identity Fraud Alliance (MIFA). “That poses challenges for healthcare providers, when their main concern is quality of care,” Patterson says.

6 Trends Signaling Major Opportunity

Last year, I decided to pursue a career transition as a full-time occupation. I’ve been out in the market for the past six months, assessing business opportunities as I network with executives in financial services, healthcare, media and retail, as well as with VCs, private equity investors and advisers.

What’s been great is that invariably any role in any organization, however broad, will be framed by the priorities that drive the business, which may be using a short-range lens defined by the annual plan, or one that doesn’t offer much of a peripheral view.  Transition-as-occupation offers full permission to set the aperture and depth of field for insight-gathering and exploration.

What has also been remarkable is not only the generosity of many people at the top of their respective fields to share perspectives, but also how I’ve been able to help others by playing the role of connector among people who may not normally meet up with each other, but who are excited to understand how others are addressing common questions in a complex and changing environment.

Here are six connected trends on the collective mind of the leaders with whom I’ve met. They represent a snapshot of what I am hearing. Within them are opportunities to be realized across this industry:

  • Customer-centricity – is it talk or walk? C-suiters certainly verbalize that “customer-centricity” matters, but few teams demonstrate that empathizing with the customer is bedrock for viable, win/win relationships, growth and profit improvement. The phrase has as many definitions as (or more than) the number of people defining it. Most significantly, the connection to concrete, quantifiable business priorities is generally missing. For those who get beyond the buzzwords, there is tremendous tangible value, even disruptive opportunity, in being a customer-focused player in this sector.
  • Old norms don’t work…digital and innovation are essential. Businesses are faced with redesigning processes, structures and metrics, recruiting more agile learners who are also able to deliver and overcoming legacy infrastructure to adopt new technologies. This level of change in the way businesses operate is not for the faint-hearted. The companies that take on these real implementation requirements will gain ground.
  • Yes, technology truly is changing everything. Even with greater efficiency, there is no growth without compelling offerings that meet big market needs. For companies engineered to serve baby boomers, serving the millennial generation requires profound change, not just a digital coat of paint. The implications go way beyond having a social media presence, cool apps and clever advertising. The millennial generation is inheriting a different world, re-shaped in good and bad ways by prior generations.  The starting point for progress is to be truly insight-led, and not presume you know what people want and need.
  • The marketing bar is being raised. This discipline has been disrupted, and more is being demanded. Traditionally viewed as “support” people, marketers are now being held to results that require a different seat at the table, a different talent profile, processes and resources and an entirely new set of connections with colleagues and external partners. Begin by redefining relationships, especially with product, IT and sales internally, and with the advertising and media agencies as key outside partners.
  • Two tales are playing out within financial services. Legacy institutions remain heavily focused on regulation, compliance, expense reduction and cyber security…while fin tech is hot, with capital flowing into payments, wealth management, consumer lending and related start-ups pursuing market disruption and reshaping the industry. Start-ups are doing great things in this sector and will keep incumbents on their toes, as well as representing potential acquisition opportunities as a strategy to modernize. Alignment around a clear strategy and a collaborative culture are at the foundation of leading change vs. playing defense.
  • Healthcare disruption is creating opportunities, but the pace is slow. Payers and providers are aiming to address Affordable Care Act and other government, employer and consumer-driven impacts.  Using electronic medical records, controlling employer healthcare expenses and enabling patient accountability for medical care decisions are just three of many big and complex challenges. The road to change will be long and slow given the sheer complexity and fragmentation of healthcare delivery. As in financial services, new entrants are leading innovation with solutions that address elements of the ecosystem. As in financial services, there is room for incumbents to realize opportunity with the right strategic and cultural conditions.

Medical Identity Theft And Fraud

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual’s personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term “medical identity theft.” Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers’ identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers’ billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim’s name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of “curing” themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim’s medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients’ medical records making healthcare providers worry that they may be violating the imposter’s privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients’ records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim’s name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim’s fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, “curing” oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider’s office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

  • Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
  • Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
  • Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
  • Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
  • Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
  • Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
  • Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
    • Tax preparation papers
    • Explanation of Benefits statements
    • Medical Bills or Records
    • Bank Statements
    • Passport
    • Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. “Medical ID Theft Study Results.” March 2012. Print.

Ponemon Institute. “Third Annual Survey on Medical Identity Theft.” June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. “ID Theft Infects Medical Records.” Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012