How healthcare providers can curb medical identity theft
Medical identity theft is on the rise. Medical records are a hot target for hackers because, according to the FBI, medical identities are valued at 20 to 50 times more than financial identities on the black market.
Data breaches appear to be the leading cause of this growth, and the number of data breaches continues to grow. The number of healthcare organizations falling victim to data breaches reached an all-time high of nearly 400 reported breaches in 2016, according to the Identity Theft Resource Center.
[From HIMSS Security Forum in Boston: Healthcare must move from risk to resilience, Tom Ridge says]
“The effects of having one’s medical identity stolen can range widely,” said Paige Schaffer, president and COO, identity and digital protection services global unit, at Generali Global Assistance, one of the first companies to offer identity theft protection and resolution services in the United States. “The most common issue victims experience is being billed by a medical provider for services the fraudster received.”
This is why it’s critical for individuals to check their explanation of benefits statements thoroughly and regularly. If left uncaught, the financial impact can be significant for many families. According to the Medical Identity Fraud Alliance, out-of-pocket cost to victims is $13,500 on average; though, for some medical identity fraud victims expenses can be even more significant as there are currently no legal or regulatory consumer protections in place that limit the financial liabilities for this specific type of fraud.
“Other common outcomes could include being denied health insurance or benefits due to reasons caused by the fraud and discovering another person’s information mixed in with the victim’s own, legitimate records,” Schaffer said. “This last outcome is arguably the most dangerous of potential ones because inaccurate health records, such as allergies, blood type or health conditions can lead to a patient receiving the wrong type of medical care.”
For example, if an individual’s medical record showed a person had a different blood type than they actually did, the results could be deadly.
There are strategic steps that healthcare provider organizations can take today to help thwart the medical identity theft of patients. For instance, better identity verification based on Equifax, Experian, TransUnion and LexisNexis identity verification and knowledge-based authentication, said Andras Cser, vice president and principal analyst, security and risk management, at Forrester Research.
“Further, insurers can get confirmation of treatment on snail-mail from patients/subscribers,” Cser said. “Two-factor authentication and stronger authentication can be installed for insurer portals. And there can be a decreased reliance on the Social Security number for authentication and identification.”
While the rise in medical organizations experiencing data breaches hasn’t been proven to directly have caused the rise in medical identity theft, the correlation in these statistics’ rise certainly indicates so; as a result, it’s critical that health organizations implement cybersecurity best practices, including training their employees on identifying phishing attempts and data protection processes, Schaffer said.
“Often, organizations spend a lot of time and money on technology safeguards but neglect to invest equally in their biggest potential vulnerability – their employees,” Schaffer said. “In addition to training employees on recognizing potential scam e-mails, it is critical to train them on protecting patients’ health information, including keeping digital files instead of physical ones whenever possible, safeguarding paper files with as much vigilance as digital ones, collecting only the information they actually need, and shredding any documents that they no longer need to keep physical copies of.”
Additionally, with the rise in data breaches – this year is on track to reach more than 1,000 reported, according to the Identity Theft Resource Center – it’s important for health organizations to take preventative steps to help mitigate the fallout if they do fall victim to such a breach.
“Offering identity theft protection with full-service medical identity theft resolution is one effective way to do that,” Schaffer said.