Posted by: Arian Eigen Heald
Database security, HIPAA, Identity theft, Security
A recent story in Government Technology magazine educated me on exactly what “medical identity theft” is and what the risks are. Although the article focused on Medicaid and Medicare fraud, the statistics and risks made for scary reading. And it started me thinking about MY medical data.
In a nutshell, medical identity theft involves the use of patient identification numbers and/or physician identification numbers, both used to bill for services and obtain payment.
The FTC estimated, based on overall identity theft statistics, that medical identity theft cases numbered 3 percent of all identity theft cases. That’s about 250,000 cases a year, at a conservative estimate.
The FTC is not responsible for addressing medical identity theft, the Department of Health and Human Services is. Nor is there an ability to use FACTA (Fair Credit Reporting Act) to remove fraudulent medical records.
According to the World Privacy Forum and Blue Cross Blue Shield Association, at least 1 percent of fraud is estimated to be medical identity theft: that’s $600 million per year. Ouch.
For individual patients, the theft of their medical identification numbers presents an even more difficult scenario to resolve than “regular” identity theft. Their medical history gets changed, along with erroneous information about allergies, medications and procedures done. With HIPAA protecting medical records, it is much harder to change the records that list the “bad” information.
And imagine trying to get insurance with a false “pre-existing condition” created by fraud? Not to mention dealing with hospitals and other medical organizations trying to get payment.
Another interesting (and scary) statistic from the WPF:
Cost, on the street, for a stolen Social Security number? $1.
Cost, on the street, for stolen medical ID information? $50.
Medical identity data sitting in our HR databases is more valuable than Social Security numbers. Has it occurred to anyone else besides me that our medical ID numbers are often our Social Security numbers?
Bankrate has noted that since HIPAA has no enforcement mechanism, data security is not a high priority issue for health care facilities. The penalties are there in the legislation, but there is no inspection or reporting mechanism to ensure compliance. We are, in essence, trusting our medical providers and billers to keep our personal information secured.
Given the state of security in the majority of our business networks today, would that give you a warm fuzzy?
Next: “Synthetic” Identity Theft