How to spot and prevent medical identity theft
Say 'Aaugh!' then take steps to guard health care information
While credit card breaches at retailers are grabbing headlines, identity thieves are quietly homing in on an even more
lucrative area: health insurance and medical records.
More than 1.8 million people in the U.S. were victims of
medical identity theft in 2013, according to a survey by the Ponemon Institute
released in September. That's a 19 percent increase over the previous year.
"Medical identity theft is the fastest growing component of ID
theft," says Drew Smith, founder and CEO of InfoArmor, a
provider of business-to-business identity theft solutions.
The latest case involves the alleged theft by Chinese hackers of 4.5 million medical records from Community Health Systems, a company that runs 206 hospitals in 29 states. Thieves stole records including names, addresses, birth dates, telephone numbers and Social Security numbers.
Like any type of identity theft, medical ID theft can damage
your credit and cost you hours of hassles trying to clear it up. But it
could also endanger your life if incorrect information appears on your medical
Why the bull's-eye? Health information is easier to hack than credit. In
April, the FBI issued a private industry notification warning to health care
providers that their data networks are not as robust as those in the financial
and retail sectors, and "the possibility of increased cyberintrusions is
Safeguards are in the works, but the move to electronic
records and the health exchanges set up under the Affordable Care Act, otherwise known as Obamacare, have opened new opportunities for fraud, both online and
Experts say Americans can expect to see medical fraud heat
up again in the months before open
enrollment for 2015 government-subsidized insurance begins in November 2014.
Your medical ID: black
Why would hackers bother with health insurance when they
could get a direct line to your pocketbook via credit cards or financial
accounts? "It's very lucrative," says Ann Patterson, senior vice president and program director at the
Medical Identity Fraud Alliance. "Stolen protected health information can
be monetized for a much greater value than traditional financial account
A complete medical identity --
including name, address, phone number, Social Security number, medical
insurance information and access to medical records -- is worth about $50 on
the black market, says Michael Bruemmer, vice president of Experian's Data
Breach Resolution group. "Without medical or insurance information, that drops to
about $10 for someone's stolen information."
Bruemmer's group helped resolve 1,000 health
care client breaches last year, including the largest breach of HIPAA, the Health
Insurance Portability and Accountability Act.
Medical identity theft usually happens on a large scale,
with hundreds or even thousands of identities stolen at one time. Once hackers
have a medical ID, they can use it to procure prescription drugs or expensive
medical equipment or simply to commit financial fraud -- often for months or
years before anyone notices.
Why? Partly because people don't pay much attention to their
medical or insurance records. While most of us wouldn't let a bank or credit
card statement go unread, we tend to ignore the explanation of benefits (EOB)
issued by our health insurance after we have a doctor's appointment or medical
More than half of all medical identity theft is what's known
as "friendly fraud" or "a victimless crime," according to
the Ponemon Institute study. A typical example: an uninsured sibling or friend
borrows your insurance card for a procedure, with or without your permission.
If your sister has allergies that you don't have or a different blood type, her allergies and blood type are now comingled in your records.
Medical Identity Fraud Alliance
In 2013, the Medical Identity Fraud Alliance interviewed
800 victims of medical fraud. When asked what they would do differently, half said
nothing. "Especially with the Robin Hood or 'victimless' crime, most people
don't think there are consequences," says Patterson. "They say it's
no big deal."
Yet there is no such thing as victimless medical identity
theft. "If your sister has allergies that you don't have or a different
blood type, her allergies and blood type are now comingled in your records,"
Patterson says. If you're unconscious and need an emergency transfusion or
misinformation can kill you.
That kind of consequence comes, in equal measure, from both friendly
and malicious medical identity theft, yet we continue to be lax about sharing
our health information. "As a society, we just look at health in a very
different way than we look at our finances," Patterson says.
Detecting medical fraud
before it hurts you
Sometimes it takes a questionable medical bill to alert
someone of a compromised medical identity, but even that doesn't always do the
trick. Many people simply ignore such bills from their insurance companies. By the
time a red flag goes up, your insurance may have been used to procure
prescription drugs, black-market medical equipment and emergency
The consequences can be expensive. The Ponemon Institute
found that 36 percent of medical ID theft victims pay to resolve the issue, and
their out-of-pocket costs average nearly $19,000. Even if you
don't end up paying out of pocket, such usage can wreak havoc on both medical and
credit records, and clearing that up is a time-consuming headache.
That's because medical records are scattered. Unlike
personal financial information, which is consolidated and protected by credit
bureaus, bits of your medical records end up in every doctor's office and
hospital you check into, every pharmacy that fills a prescription and every
facility that processes payments for those transactions.
Bruemmer expects that will change soon, with more
progressive states raising the bar. "California, in particular, has the
most stringent standard for what constitutes a medical or health care breach,"
he says. If an individual's username and password is compromised on a health
care portal there, the provider is required to notify him or her within five
days, Bruemmer says.
"I actually think that's the way the industry is going
and there will be more regulations across more states," Bruemmer says.
Compiling a composite
identity for the big scam
One small breach of information here and there may not seem
like much, but each one could be adding up to something serious. "Five
years ago, most hackers were looking for Social Security numbers, credit card
numbers. They were going for the quick, easy fraud," says Smith. "Today,
they're looking to steal someone's health credentials, insurance information, credit
card account passwords, so they can continue to monetize victims' identities
over a longer period of time."
One organization may take a username and password, another your credit information, another your Social Security number. The last one may actually get your medical records.
Experian Data Breach Research
"Thieves are getting smart," Bruemmer agrees. "One
organization may take a username and password, another your credit information,
another your Social Security number. The last one may actually get your medical
records. What they're doing is amassing, in three or four incidents over a
period of time, the full identity stream."
Bruemmer says, for example, that thieves
often use hacked email accounts to gain personal information. "People say,
'Oh, it's just the username and password for my email account, I'll just change
that.' You'd be surprised how many people forget and let it go. Then, all of a
sudden, something really bad happens."
As with any organized crime, fraudsters jump from one
channel to the next, as each locks down. "In the financial world, they
jumped from hard checks to electronic to online banking, and now mobile fraud,"
Patterson says. "Now they're jumping from traditional financial channels
into health care channels."
Like the RAM-scraping in 2013's big retail breaches, online medical fraud has become more
sophisticated in recent years. Yet old-fashioned huckstering is alive and well.
In July, the owner of NC Behavioral Health and Counseling Services of Durham, North Carolina, was indicted for health care fraud, identity theft and 13 other
criminal charges after submitting bogus claims for at least 56 clients. Court
records allege that instead of covering medical services for the patients, the owner
spent the $1 million she received from Medicaid on a Cadillac Esplanade, a
Mercedes and a swimming pool.
opportunities courtesy of Obamacare
Obamacare and the
expansion of Medicaid have opened up a whole new stream of opportunities for
fraudsters, experts say. In June, a backpack was discovered on a street in
Hartford, Connecticut, near the Access Health CT exchange. Inside were four
notepads containing the Social Security numbers of 151 people enrolled in
Connecticut's Obamacare exchange.
"There are so many opportunities out there to defraud
people," says Dennis Jay, executive director of the Coalition Against
Insurance Fraud. "You're dealing with populations that are new to
insurance and don't understand the dangers of selling a Medicaid number or
sharing a health ID number."
Just before the rollout of Obamacare, roving gangs began
knocking on doors in lower-income neighborhoods, requesting health information
they said was needed to expedite the new health plans. "People gave it
out," Jay says. He expects that kind of fraud to pick up as the open enrollment
period for 2015 coverage through the health insurance exchanges nears.
I encourage people to get their explanation of benefits via email.
The expansion of Medicaid accompanying Obamacare
has led to similar door-to-door solicitations, he says. "The Medicaid
expansion also concerns us because there are roving gangs that will pay you to
share the numbers with them," Jay says. "Once [fraudsters] have those numbers, they know
they're golden. A lot of Medicaid systems won't detect it for many months and
there could be tens of thousands or even tens of millions gone before that
It's too early to measure the impact of
the health exchanges set up under Obamacare and the sharing of health records
online. "We haven't even seen how secure those sites are," Smith
says. "But given the problems they've had, it would be surprising if we
don't see identity theft bump up over the next couple years
because information has been compromised."
What you can do to keep your
medical identity safe
vigilant about your personal information. Shred all documents
with any kind of sensitive information and change your passwords on a regular
basis. "Don't use the same password on multiple platforms," Bruemmer
advises, "particularly health care platforms, financial institutions,
share health information with solicitors or phishers.
Steer clear of links in emails that request that information online. Don't give
out your information over the phone to someone claiming, for example, to
represent your insurance company. Don't give it to anyone who appears at the
door, either. A common scam now, according to Jay, is to knock on doors asking
for medical information to renew an Obamacare policy.
sharing sensitive information. Even health care
providers sometimes over-reach. Many automatically ask for your Social Security
number. "In many cases, they don't need it but it's the default question,"
Bruemmer says. "As rule of thumb, don't share anything of a personal
nature with a health care provider that you wouldn't consider sharing with your
that EOB, preferably via email. An Explanation of
Benefits from your insurance provider is not exactly easy reading, but it's
worth more than a scan -- and the sooner, the better. "I encourage people
to get their explanation of benefits via email," Smith says. "They
come through much faster, instead of getting lost in the mail. Anything you can
do to monitor your EOB is a great start."
quickly on breach notifications. If you get a letter
from a health care provider saying your health care information has been
exposed, read it carefully and follow the instructions immediately. Such
letters usually offer helpful tips on how to protect yourself and take
advantage of free services provided.
credit reports and medical records regularly. You
can access each of your credit reports from the three major credit bureaus for
no cost once a year at AnnualCreditReport.com. Evidence of medical identity
theft often shows up there in the form of unpaid medical bills. You also have
the right to review your medical records. Any time you have a medical procedure
or visit a new physician, you should request and review a copy of your records.
See related: Familiar fraud: When family and friends steal your identity
, Study: Data breaches pose a greater risk
, Data breach protection: 10 tips
Updated: August 19, 2014
Three most recent Legal, regulatory, privacy issues stories: