8 ways to fight medical ID theft
Medical identity theft can be fatal, especially to society’s most vulnerable population, the elderly. Targeted by criminal groups and unscrupulous relatives alike, seniors tend to be more trusting of others and are less likely to report the crime because they don’t want family members to think they can’t maintain their independence, says the National Crime Prevention Council. Fighting this crime is a high priority for me, and it was a privilege to participate in an FTC panel on the subject in Washington, D.C. last month.
“Medical identity theft occurs when someone uses another's information to receive medical-related services, to buy drugs, or to unlawfully gain financial benefits such as billing insurance companies or Medicare for services that were never performed,” said Robin Slade, a panel member and head of the Medical Identity Fraud Alliance. When medical identity theft compromises a person’s care, she said, the results can literally be deadly.
Medical identity fraud is also expensive — costing $41.3 billion and affecting 1.85 million people annually, according to a Ponemon Institute study, the Third Annual Survey on Medical Identity Theft.
The vulnerability of senior citizens
The panel, which included Pam Dixon from the World Privacy Forum and Andy McKee from Health and Human Services Office of Inspector General, discussed why seniors are more prone to this type of identity theft:
- They are perceived as vulnerable or more trusting, making them preferred targets for crimes and scams.
- Medical identity theft appears to be most common where Medicare and Medicaid are widely used — Florida, California, etc.
- Because many elderly are also poor or disabled, they require frequent medical services. Fraudsters will prey on this need, offering “free” services supposedly provided by Medicare/Medicaid.
- Medicare cards list a beneficiary’s social security number. “Once that number becomes compromised,” Mr. McKee said, “it's compromised. You can't put the genie back in the bottle … The government's not going to issue you another one.”
- The elderly often suffer from cognitive issues, and may not even realize their identity has been stolen.
Causes of medical identity theft
Data breaches are one cause of medical identity theft — 94 percent of healthcare organizations experienced a breach over the last two years — and 45 percent of those had experienced five or more breaches, according the Third Annual Benchmark Study on Patient Privacy & Data Security, another study by Ponemon Institute.
Clearly, criminals are seeing the economic value of PHI. In fact, Mr. McKee noted that Medicare numbers can sell for up to $100 apiece.
Ms. Dixon pointed out that, for seniors, not all cases of medical identity theft occur because of data breaches. “In one case, a man billed over $3 million for 18 dialysis patients. He didn’t need a data breach," she said."All he needed was a photocopier."
No value on data
Behind the more obvious causes of medical identity theft is a more subtle problem. Experience has taught me that organizations place little or no financial value on data — especially in healthcare. When an organization can’t value an asset, it’s difficult to appropriate resources to protect that asset. While IT and others guardians of data understand their value — and what’s at stake when they become compromised — the C-suite often doesn’t recognize the risks.
And that puts patients, including seniors, at risk for medical identity theft and its potentially dangerous consequences.
Preventing medical identity theft among seniors
Finally, the panel discussed ways to fight medical identity theft:
- Provide education and increase awareness of the impact of medical identity theft on consumers and the healthcare industry.
- Collaborate on an industry level. The Medical Identity Fraud Alliance is a new healthcare industry association that is “focused on developing the technology, the best practices, and the policies necessary to lessen the exposure of patient data,” said Ms. Slade. She equated healthcare’s move toward EHRs to the advent of e-commerce in the financial services sector. “There are many parallels in terms of adoption, use and risk, and we are embracing lessons learned as we roll out MIFA.
- Educate executives on the value of safeguarding data. The ANSI Identity Theft Prevention and Identity Management Standards Panel (IDSP) published the PHI Value Estimator (PHIve) model, a five-step method for assessing security threats and evaluating the “at risk” value of an organization’s PHI.
- Make individuals the first line of defense. Ms. Dixon said that patients need access to and should have the right to correct their medical records. “Get your healthcare files before you need them … and watch out for those free services because some of them are really scammy,” she said, “And really, really watch those EOBs.”
- Institute basic controls, such as immediately disabling computer passwords for terminated employees. This was only one problem the HHS Office of Audit Services found during a study on HIPAA compliance, Mr. McKee said.
- Simplify Medicare explanation of benefits (EOBs) to better identify potential fraud — a move that is already underway.
- Provide Medicare beneficiaries with identification similar to a credit card that can be destroyed if their identity is stolen.
- Federal and state governments should provide incentives. “Healthcare institutions … and stakeholders are going to have to be involved at the state and federal level,” Ms. Dixon said.
The panel provided valuable insights on the nature of medical identity theft among seniors as well as some viable solutions. A highlight for me, however, came from Barbara Dieker, director of the Office of Elder Rights at HHS. She heads up the Senior Medicare Patrol Program; seniors are recruited and trained on Medicare and other healthcare programs. “They educate their peers on how to read [their] Medicare summary notice, how to prevent fraud… and how to protect their personal information,” she said.
This grassroots movement raises awareness, which, I believe is the first step to fighting medical identity theft, especially among the most vulnerable.
Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).