A stark link between breaches and fraud

New research sheds light on disturbing trend in the healthcare industry
By Erin McCann
10:35 AM
Share

A new case study examining the 2012 Utah Department of Health data breach that compromised the protected health information of 780,000 individuals has underscored a stark association between healthcare data breaches and cases of fraud.

The case study, conducted by Pleasanton, Calif.-based Javelin Strategy & Research, found that in 2010, if an individual received a data breach notification, there existed a more than one in 10 chance that the individual would also be victim of fraud. In 2012, the correlation jumped to one in four, officials say.

"Something that's come to our attention over the years is that there's an increasing correlation between being a data breach victim and being a fraud victim," said Alphonse R. Pascual, senior analyst of security, risk and fraud, Javelin Strategy & Research, in an interview with Healthcare IT News.

[See also: Get set: New HIPAA has teeth.]

He pointed out that the data breach at UDH was a failure to manage IT assets in the correct manner, and could have easily been avoided with proper systems lifestyle management, basic checklists and risk assessment.

"The $2 to $10 million (that the breach cost the state) is small change compared to the kind of fraud we're going to see as a result of the breach," Pascual explained. As a result, beyond the $2 million to $10 million the breach cost the state, researchers pegged additional total fraud cost at a towering $406 million. Based on research projections,122,000 cases of fraud will result from this breach, coming with a price tag of more than $3,000 per victim.

One of the many lessons that can be gleaned from this data, Pascual said, is that there's a big opportunity for the financial industry to get more involved following a breach.

"If I'm a bank in Utah, and I know that this just occurred, it would be in my best interest to be proactive," he explained. "I may not know if my customer was affected, but I should at least send out some kind of notice," regarding additional account protections. 

[See also: First-of-its-kind HIPAA settlement announced, Idaho hospice group to pay.]

When asked about the data protection differences the finical industry has for consumers versus what the healthcare industry has, Pascual said there's a huge disparity. Healthcare organizations just aren't protecting patient's protected health information like they should be, and it's really costing consumers and organizations alike.

"Having that much information, storing it in all one place, leaving it unencrypted, hiding it behind weak or default passwords — that would be wholly unacceptable in the financial industry," he said. "The time has come for the healthcare industry to do a better job."