By Daniel J. Solove
When you go to the hospital, you might worry about catching a staph infection or pneumonia, but you should also worry about contracting a nasty case of medical identity theft. Most people suffer significant harm from medical ID theft, and few are completely cured. This ailment is spreading dramatically as data spurts out of healthcare organizations these days as if from a ruptured aorta.
In January of this year, an article citing U.S. Department of Health and Human Services (HHS) statistics noted that in the past 5 years, there have been roughly 120,000 reported data breaches involving HIPAA protected health information. These breaches have involved more than 31 million individuals.
31 million is bad. But now add to it the individuals involved in the 80 million records compromised by the Anthem breach.
Heatlhcare cyberattacks are on the rise — an increase in 72% from 2013 to 2014 according to estimates by Symantec. In 2014 the FBI issued a warning about that cybercriminals were especially on the prowl for healthcare data.
Several factors are combining to create an epidemic of epic proportions.
A Health Data Bonanza for Fraudsters
Why are fraudsters targeting healthcare? As an article by ID Experts puts it, “follow the money.” Health records are quite lucrative to criminals. As the article notes, healthcare data “can be sold to uninsured people, used to get medical supplies and equipment that can be resold, or leveraged to submit fraudulent charges to insurers.”
According to an article by Healthline, “[t]he going rate for stolen health credentials is up to ten times the value of stolen credit card information.” Medical identity theft often takes longer to detect than other types of fraud: “Many people are not even aware that their medical information has been stolen. It can take years until a collections agency goes after them for the cost of medical services that they never received.” The longer detection period increases the value of the data to fraudsters.
Inadequate Data Protection
Data protection in healthcare is often falling short. The OCR’s pilot audit program revealed rather frightening results: “58 out of 59 health care providers audited had at least one negative finding regarding Security Rule compliance.” Thus, more than 98% had problems.
Why is this happening? Because upper management isn’t devoting sufficient attention and resources. A recent HIMSS Security Survey found that only 52% of healthcare organizations have a full-time resource for security. And only a very small percent of the IT budget goes to data security — 19% of the organizations spent less than 1%.
The Dramatic Rise in Medical ID Theft
According to the Ponemon Institute’s 2014 Fifth Annual Study on Medical Identity Theft, released in 2015, there were more than 2 million victims of medical ID theft in 2014, up 22% from 2013.
According to HHS: “Medical identity theft occurs when someone steals your personal information (like your name, Social Security number, or Medicare number) to obtain medical care, buy drugs, or submit fake billings to Medicare in your name.” HHS further states: “Medical identity theft can disrupt your life, damage your credit rating, and waste taxpayer dollars. The damage can be life-threatening to you if wrong information ends up in your personal medical records.”
The term “medical identity theft” originates from a 2006 report by Pam Dixon of the World Privacy Forum. She concluded her report by stating: “The victims who have been impacted by medical identity theft have to date been largely ignored, despite the serious consequences and harms they must face and deal with. It is now time to work diligently to create new pathways of help and recourse for these victims, who deserve to be heard and helped.” Sadly, over the past decade, her calls for improvement in the report have not been sufficiently heeded.
In one case, a person went to donate blood but was denied. A fraudster had used her Social Security Number to get treatment at an AIDS clinic. In another case, a victim was billed $44,000 for surgery that he hadn’t received. In many cases, ID thieves use victim’s information to obtain prescriptions.
Not only can medical ID theft create financial harm, but it can pollute medical records with false information that can jeopardize a patient’s treatment.
But privacy and security issues are often dismissed by courts and policymakers as not resulting in significant-enough harm. So what’s the worst that can happen as a result of medical ID theft? Death.
That’s right — it is not fanciful that medical ID theft could create life-threatening harm. Imagine that you’re injured and unconscious and wheeled into the emergency room. Your medical records are riddled with errors from an ID thief — your blood type is wrong and your allergies are incorrect. There are preexisting conditions listed that you don’t have. There are treatments listed that you never received. There are drugs listed that you don’t take. These errors could lead to a wrong treatment that could be lethal.
Medical identity theft can hurt more than the ailments people seek medical care to cure. The study concludes that 65% of victims had to pay an average of $13,500 to repair the damage. The average victim learned about the fraud more than 3 months afterwards. Nearly a third didn’t even know they are victimized.
And medical ID theft is very hard to cure. It can be extremely difficult to remove the false information from one’s medical records. Only 10% of people achieved a complete resolution of the problem. There’s a much better chance that cancer will be cured than medical ID dentity theft.
Kids suffer especially from medical ID theft because they often won’t discover it until years later when they need health insurance, and the fraud can result in astronomical premiums. Seniors are also at greater risk, as their data is used for Medicare fraud.
Patients Are Losing Trust
According to a recent study published in 2015, “A combined 54 percent of respondents say they would be “very” or “moderately likely” to change providers as a result of their personal health information being accessed without their permission.”
Privacy + Security
It is possible to stem the tide of this epidemic. But the epidemic isn’t caused by security problem alone. Of course, the security vulnerabilities need to be cauterized. But there are privacy components to the problem too — victims lack sufficient access to their medical records and sufficient rights to clear up errors in them and otherwise exercise control over them. It is also far too easy for ID thieves to impersonate individuals and have wrong data falsely entered into a victim’s records. These are issues involving privacy rights.
Healthcare workforce personnel must be made aware of the problems medical ID theft victims face. Far too often, they just learn a bunch of abstract HIPAA rules but are not taught about why they must care about following those rules. There’s a real person behind every piece of protected health information. Privacy and security are not just about protecting data; they are about protecting people.
Upper management must also take the problem seriously. A lot more resources must be provided to protect privacy and security. I dare anyone in upper management at a large healthcare organization to ask the privacy and security officials whether they have all the resources they need.
And policymakers must do more. Patient rights need to be improved. Enforcement should be stepped up. More focus must be put on not just preventing data breaches but also preventing thieves from polluting patient health records with false data. Better recourse must be provided to victims.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 890,000 followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.