An elderly man went to the emergency room after injuring his back. When he got there, the doctor noticed that he also had an infection. He offered the elderly man penicillin, the same medication he received during his last visit to the ER.
The elderly man was confused. This was his first visit to the ER, and he was allergic to penicillin. Why would his records say otherwise?
It soon became clear that someone else had used the elderly man's health insurance card at the ER to obtain penicillin and a host of other medications. At some point, the elderly man had misplaced his card; after reporting it lost, his insurance company had sent him a replacement with the same number.
This was just one of several harrowing anonymous stories told to the authors of a report by the Medical Identity Fraud Alliance called “The Growing Threat of Medical Identity Fraud: A Call to Action.” In the last five years, the number of data breaches in the medical sector has quadrupled. Last year, for the first time, the medical sector experienced more breaches than any other. It’s again on track to lead in 2014, according to the ID Theft Center. While the health care industry has long suffered fraud by providers or employees fraudulently billing insurers, Medicare, or Medicaid, the medical industry is only just now trying to catch up to the quickly growing threat from hackers.
With the increasing digitization of health information (in the form of electronic health records) and the formation of health exchanges (due to the Affordable Care Act), the trend in medical identity theft is unlikely to abate any time soon. Personal medical information is useful to many different types of criminals, which is why it fetches a higher price on the black market than financial information. The sheer number of targets also makes the medical sector easy prey. Furthermore, technology has come relatively late to the health industry, and data security at health organizations can lag behind. The digitization that accompanies the Affordable Care Act may initially cause a surge in the number of breaches, but some analysts believe it could eventually reduce demand for medical information.
“The crime itself can be very valuable to a cyber criminal or any criminal, even a low-tech criminal, and the reason is that the information contained in a medical record includes just about everything about you,” says Larry Ponemon, chairman and founder of the Ponemon Institute, a cyber security research firm. That information includes your name, address, Social Security number, credit and debit card information, and physical characteristics. Thieves of such data are selling it to a variety of fraudsters—not just those who want to perpetrate medical fraud.
Thieves could, of course, use a credit card or Social Security number from a medical file to commit basic financial fraud. But they might rather sell the medical information, says Steven Toporoff, an attorney in the privacy and identity protection division at the Federal Trade Commission. “Let’s say a medical file indicates somebody has cancer,” he says. The thief could steal the file for the Social Security number, but then sell other useful parts of the file to others. “It’s almost like laundering the information,” he says. Eventually, it may be passed to data brokers who then sell it to marketers such as pharmacy companies or hospitals that want to target those with cancer.
In more sophisticated operations, physically identifying information could help create a persona for visas and passports. If the target is an important person with access to high-security systems, physical characteristics could help hackers breach them.
“The more sophisticated cyber-related identity theft schemes will likely increase as perpetrators are able to acquire stolen personally identifiable information,” says Gerald Wilson, chief of the health care fraud unit at the Federal Bureau of Investigation. He expects them to become even more sophisticated.
Another big reason identity theft in the medical sector is so prevalent? Fragmentation of information within the industry. For instance, if you visit the emergency room, the ambulance will have one version of your health record, while the ER will have another. Since ERs aren’t necessarily owned by hospitals, if you go to the hospital after that, it may also create a new file on you.
“Automation has come to health care industry late. And honestly, health care has been slow to adopt new innovation around medical records,” says Rick Kam, president and cofounder of ID Experts, which creates software and offers services to prevent and respond to breaches. “The health care industry is very much a cottage industry so everyone has little bits and pieces of data about you and no one talks to each other.”
Digitization in the health industry is helping create more records to be exploited. Electronic health records are projected to grow more than 7% a year, according to a February Accenture report. Meanwhile signups for health insurance through the Affordable Care Act exchanges earlier this year numbered eight million. (In the long run, the increase in the number of insured people from the Affordable Care Act is expected to reduce “Robin Hood” fraud, in which someone knowingly shares their health credentials with a friend or family member who doesn’t have health insurance.)
The consequences for victims of medical identity fraud are much worse than for those of financial fraud. In a 2013 Ponemon Institute survey on medical identity theft, although only 36% of such victims incurred out-of-pocket costs, those that did paid out $19,000—far more than the $50 liability limit for fraudulent credit card charges. Victims whose profession requires them to pass medical tests can lose their jobs, and victims who are mothers and whose fraud is perpetrated by drug addicts could have their children taken away from them.
The worst-case scenario for medical fraud victims is having their medical record contaminated by someone else’s health information, such as an incorrect blood type or allergies. Even if the fraud is detected, the nightmare has only begun. It can be difficult for patients to flush mistaken information from the system because they don't know how many databases have their information and which ones need to be corrected.
The industry continues to work to pull ahead of malicious hackers. In the meantime, you can watch out for medical fraud on your accounts by reading your Explanation of Benefits to ensure that it is accurate and being aware of red flags such as getting calls from debt collectors on medical debts or medical collection notices on your credit report. And while it's not a scientifically proven preventive measure, crossing your fingers can't hurt.