Unlike the financial services industry, health care companies lack measures to adequately prevent identity theft, even as they continue to digitize medical records and other sensitive information.
Twelve years ago, when Nikki Burton was 17, she tried to donate blood for the first time. She was denied without explanation. Perplexed, the Portland, Ore. resident called Red Cross headquarters to inquire, only to learn that her Social Security number had been used to receive treatment at a free AIDS clinic in California, rendering her ineligible to donate blood.
Years later, she wondered if, when asked whether she had any preexisting conditions, that instance of fraud might show up. So she called the Red Cross again. The organization told her that it no longer asked for Social Security numbers and she could donate blood without it. “I said, that’s fine for you guys to receive the donation, but that doesn’t solve the problem of that information existing in your system,” Burton says. “What if it got out?”
In 2013, the health care industry experienced more data breaches than it ever had before, accounting for 44% of all breaches, according to the Identity Theft Resource Center. It was the first time that the medical industry surpassed all others, and stood in stark contrast to the financial services industry, which represented just 3.7% of the total.
Identity theft is so pervasive in health care that, according to a 2013 ID Experts data security survey of 91 healthcare organizations, 90% of respondents had experienced a data breach in the previous two years and 38% had had more than five incidents. The leading causes of a breach are typical for any business: a lost or stolen computing device, an employee error, a third-party snafu. There’s also “Robin Hood fraud,” in which someone knowingly gives a friend or family member information to fraudulently receive health care. But one cause has grown in importance: Criminal attacks have doubled in the last four years, according to the survey. (A good example: the theft of 4.5 million records this month at hospital operator Community Health Services.)
Rick Kam, president and cofounder of ID Experts, a company that helps health organizations prevent and respond to breaches, says his team has been tracking crime rings that have been prosecuted in the last year for medical fraud. “Essentially, criminals have come to understand that using your medical credentials—your name, Social Security Number and health insurance numbers—to order goods and services that are never delivered and to bill organizations like Medicare and Medicaid, those activities are more profitable than drugs, prostitution, and other crimes they may pursue.” For this reason, medical identities are 20 to 50 times more valuable to criminals than financial identities. What could exacerbate the problem is the digitization of health information found in electronic records, mobile devices, and health exchanges.
Estimates of annual United States medical fraud range from $80 billion to $230 billion. Health care organizations who suffer breaches are subject to costs that average to $2 million over two years, according to estimates. This is why the health care industry and related players are starting come together to tackle prevention. It is a formidable task: With so many potential avenues for information to be lost, so many different institutions from which to steal data, and so many ways of perpetrating fraud at other organizations—not to mention the lack of a central database for reporting such fraud—the industry is a long way from being as impenetrable as the financial services industry.
Steven Toporoff, an attorney in the division of privacy and identity protection at the Federal Trade Commission, says that people who suspect financial fraud can get free copies of credit reports and can put on a fraud alert under federal law or a credit freeze in most states to halt fraudulent activity. “There are ways to block erroneous items from their credit report,” he says. “There are also remedies if you have a bank account and monies were withdrawn. There are protections for credit cards. In the financial world, we’ve been dealing with these problems for years. Unfortunately, in the medical world, it has not caught up yet.”
This year, a few dozen businesses (including health care providers such as hospitals, integrated care payer-providers such as Kaiser Permanente, insurers, credit companies, and digital security companies) formed the Medical Identity Fraud Alliance. The industry group is focusing on three key tasks: develop best practices to prevent medical identity theft and fraud for providers, payers, information management companies, and regulators; educate consumers, providers, and third-party vendors; and influence relevant legislation and regulations.
The group aims “to take an enterprise-wide approach,” says Ann Patterson, MIFA’s senior vice president and program director. A company can’t just relegate the task of theft prevention to one executive or department like the chief information officer, fraud investigator, or HIPAA privacy office, she says. “It’s everybody together, down to someone in the mail room.”
Further, the various players in the health ecosystem need to work together. “The financial services companies realize that to fight financial fraud they have to be less secretive and share more information with each other,” Patterson says. “Bank A has to share information with Bank B to find a fraud trend. If you are just looking at one bank, you can’t see a trend, but if 10 banks collaborate in a region together, then you can see that it’s some sort of organized crime ring.” For example, she says the American Bankers Association has a fraud loss reporting unit that allows banks to compare apples to apples. “But in the health care world, that doesn’t exist, and even when talking with law enforcement, what they consider medical theft or a breach is different,” she says.
Larry Ponemon, chairman and founder of the Ponemon Institute, a cyber security research firm, says health care companies aren’t prioritizing information security enough. For instance, he says, if you call and report a lost health insurance card, most companies will reissue you a card with the same number, whereas a credit card company would issue you a card with a new one. “The insurance industry could do a better job to make sure the credential is state of the art, that it isn’t just a piece of plastic but has information about you or could even in fact be a biometric or even a retina or facial scan,” Ponemon says. He adds that health companies could also adopt the behavioral analysis used by financial companies to determine whether charges or activities fall into an unusual pattern.
The health care industry could take one more page from the financial services identity theft prevention playbook: adopt the U.S. Federal Trade Commission’s Red Flags Rule, which requires businesses and organizations to develop and implement procedures to detect suspicious activities or patterns of behavior that suggest identity theft. Some measures are as simple as asking for photo identification.
Of course, there is one solution that doesn’t involve business at all: switching to a single-payer model of health care. “It seems like the public health or single payer model, like in the U.K., has great equity, and the motivation to share [insurance credentials] doesn’t exist because everyone has that baseline access to medicine,” Ponemon says. “This concept of medical identity theft is very foreign in countries that provide health insurance to their citizenry.”
For now, Nikki Burton has been lucky that the fraudulent information on her record hasn’t gone further than the Red Cross—at least not to her knowledge. “I’m extra good about checking my credit files and my medical records, and every time I go to a new doctor, I am aggressive about saying, ‘Is that all there is?’” she says. “The hardest thing about medical identity theft is that there’s no guarantee that it wouldn’t come back.”