By James Swann
The threat of medical identity theft is on the rise as the health-care industry grapples with a growing rash of data breaches. Take the example of Commonwealth Health Corp., which reported the theft of 698,000 patient records in March 2017.
The Bowling Green, Ky.-based health system was the largest health-care related breach in 2017, and the theft exposed health insurance information, addresses, and Social Security numbers that could be used to steal a patient’s identity and even access their medical care.
There’s no way to trace a specific case of medical ID theft back to a specific data breach, but providers are under pressure to secure patient data and prevent it from getting into the wrong hands. Patients can receive the wrong treatment and be physically harmed as a result of ID theft, and health-care providers can face steep fines and reputational damage for any failures to secure medical records.
The Commonwealth breach was quickly followed by a May 2017 class action that sought financial damages due to the company’s failure to safeguard a patient. Lead plaintiff Samuel Palmer said he has already been the victim of identify theft as a result of the breach, receiving notices from two car dealerships about pending loans taken out in his name.
The class action is awaiting a ruling from the Warren County Circuit Court on Commonwealth’s motion to dismiss, Jean Sutton Martin, an attorney with the Law Office of Jean Sutton Martin PLLC in North Carolina who represents the plaintiff, told Bloomberg Law. A hearing was held in February and the judge indicated that a ruling would be forthcoming, but that hasn’t happened yet, Martin said.
The Commonwealth breach is also under investigation by the Health and Human Services Office for Civil Rights and could result in a costly settlement agreement if the OCR uncovers any negligence.
Physician practices are aware of the risk of medical records theft, but many don’t think it will happen to them, Robert Tennant , director of health information technology policy at the Englewood, Colo.-based Medical Group Management Association, told Bloomberg Law.
There’s no obvious return on investment for protecting patient data, and some practices might decide to forgo the costs associated with security measures, Tennant said.
Physician practices will inevitably become the target of criminals looking to steal medical data, Tennant said.
“We’ve been hearing from many members that they’re getting phishing attacks on a daily basis,” Tennant said. Health-care records are worth hundreds of dollars and contain information like birth dates, Social Security numbers, and addresses that can be used to steal someone’s identity, Tennant said.
Medical ID theft can have dramatic reputational risks for a physician practice, Tennant said. Patients might stop going to a practice that has experienced a records theft, referrals might dry up, and staff morale is sure to suffer, Tennant said.
The financial risks are just as dramatic and include expenses such as informing patients their records have been stolen and alerting local media, Tennant said. There could also be fines from the OCR, which could be crippling for smaller practices, Tennant said.
Many physicians are purchasing cyber insurance that can help after an attack, but cyber insurance won’t cover an OCR fine or settlement, Tennant said.
Data Breach Impact
The top three health-care data breaches in 2017 compromised over 1.5 million medical records that can be used for everything from creating an entirely new identity to accessing another patient’s prescriptions to altering existing medical records.
Medical ID theft complaints to the Federal Trade Commission surged by 40 percent in 2017 from the previous year to a total of 6,805, according to the FTC’s 2017 Consumer Sentinel Network Data Book. Over 300 data breaches in 2017 involved medical data, accounting for nearly 30 percent of all data breaches, according to the San Diego-based Identity Theft Resource Center.
Criminals armed with stolen medical data can use it for everything from getting access to opioid prescriptions to creating an entire false identity that can be used to take over a patient’s life. ID theft can spring from a patient losing their insurance card or a physician practice experiencing a data breach.
The ease and accessibility of medical data is fueling the increase in ID theft, Paige Hanson, the Identity Education Lead at Symantec’s consumer business unit, told Bloomberg Law. While patients have more access to their medical records than anytime before, that ease of access is also drawing criminals to the information, Hanson said.
Compounding the problem is that fact that most of the public isn’t aware of the threat of medical ID theft, Hanson said.
The Ponemon Institute, a Traverse City, Mich.-based research firm, has reported on medical theft ID every five years, and its most recent report from 2014 discovered 2.3 million victims of identity theft for the year.
Ponemon’s next report is likely to register a significant uptick in medical ID theft victims, Hanson said. Symantec is based in Mountain View, Calif., and provides cybersecurity software and services.
The loss of something as simple as an insurance card can lead to a full-blown ID theft crisis, Hanson said. The stolen insurance card could be used by someone having a medical procedure, Hanson said, which could trigger changes to the original patient’s record, such as a new blood type.
If the original patient shows up at the hospital where the fraudster had a procedure, complications could ensue, Hanson said. Medical identity theft could also lead to a patient being denied health-care coverage because someone else has assumed their identity, Hanson said.
Medical records can also be hard to change once data have been entered, Hanson said. If a patient’s records are altered due to medical ID theft, they may have to tell all future providers to ignore certain parts of their record, Hanson said.
Cutting Down Risk
Patient should follow follow several steps to protect their medical data from theft, including securing their medical insurance card, Louis Saccoccio, chief executive officer of the National Health Care Anti-Fraud Association, told Bloomberg Law.
“In the wrong hands, a health-insurance card is a license to steal,” Saccoccio said. Individuals should never give out their insurance policy number to salespeople, telephone solicitors or over the internet, Saccoccio said.
Patients should also routinely check their explanation of benefits statements to ensure that the providers, services, and dates of service accurately reflect the care they received, Saccoccio said. Insurance companies send out explanation of benefits to patients after medical care has been provided.
Providers also need to do their part to secure medical records, Symantec’s Hanson said. Up-to-date security procedures are essential, both electronically and physically, Hanson said, and businesses need to understand that they have a higher responsibility to safeguard medical data.
Securing patient records is a business imperative, MGMA’s Tennant said.
“You have to weigh the cost of security against the potential impact to your business,” Tennant said. Physician practices should train their staff on common theft schemes, such as phishing, and should conduct security risk assessments as well, Tennant said.
Encrypting all data is also a good idea, as it’s possible that a laptop or tablet containing patient data could be stolen, Tennant said. If a laptop is stolen but the data is encrypted, it’s not considered a data breach, Tennant said.