Criminals have added a new dimension to identity theft: the theft of personal medical information. Although stolen credit card numbers, bank account information and Social Security numbers are still big business for criminals, medical information has become more valuable on the black market. Consider some of these eye-opening statistics:
- 61.5 percent. The increase in incidents of medical identity theft in 2013.
- 25 cents, $1 and $50. In order, these are the amounts for which Social Security numbers, credit card numbers and electronic health records are sold in online black markets. In today’s black market, EHRs are far more valuable than Social Security numbers, according to the FBI.
- 63 percent. The number of healthcare organizations surveyed by Ponemon that reported a data breach in the past two years.
- 3 percent. The tiny percentage of the average healthcare organization’s IT budget that is devoted to data protection.
- 1.3 million. The number of EHRs stolen from the Montana Health Department from a single server breach in Spring 2014.
American universities are training more cyber security experts (to learn how one BS in Cyber Security program is educating consumers, visit this page). Unfortunately, it’s hard for cyber security graduates to keep up with the growing problem of medical identity theft.
Medical Identity Theft Warning Signs
In a world of increasing healthcare costs, fraudsters use other people’s health information to obtain services for themselves. For example, someone who can’t afford health insurance or a needed medical procedure might purchase a black market health record, assume someone else’s identity and ask a doctor to perform the needed procedure. Afterward, the victim would receive an explanation of benefits (EOB) statement from his or her health insurance provider or, even worse, a bill or collections notice. Although the victim never received the treatment, he or she would be on the hook for paying the bill.
Other medical identity theft warning signs, according to the FTC, include:
- Credit report problems. A credit report might display collections action from an unknown medical provider. There are numerous ways (free and paid) to monitor your credit.
- Health plan notices. Some victims receive notices that they’ve reached their benefit limit even though they’ve used their insurance sparingly.
- Issues with insurance coverage. An insurance company might raise premium rates or deny certain kinds of coverage based on a “pre-existing condition” that the victim never had.
Picking up the Pieces
Medical identity theft victims can take these steps to clean up their health records:
Obtain copies of all medical records. Some providers refuse to release records because they assume that doing so violates the thief’s privacy rights. However, the FTC clearly states that victims have a right to see all information in their health records. Victims should send a written request for the records to the ombudsman, the patient representative or the person listed in the provider’s Notice of Privacy Practices. If these sources aren’t cooperative within 30 days, victims can contact the Office for Civil Rights within the Department of Health and Human Services.
- Obtain accounting for disclosures. An “accounting for disclosures” lets victims know to whom each provider released copies of patient medical records. It also explains when the information was sent, what was sent and why.
- Correct errors in the records. Victims should provide a written request to each medical provider asking the provider to remove the thief’s information. With the request, they should include a copy of the police report associated with the medical identity theft case, and send the request via certified mail with return receipt.
- Contact insurers and all three credit bureaus. Victims should send copies of the police report to the insurance company’s fraud department and to each credit reporting agency (Equifax, Experian and TransUnion).
- Consider placing a “freeze” or “fraud alert” on all credit files. This step will prevent thieves from applying for credit in the victim’s name.
An Ounce of Prevention
Many identity thieves steal information by pretending to work for insurers, medical device companies, prescription drug companies and other legitimate-sounding organizations. Therefore, no one should ever share personal health information within a phone call, email, Web form or other correspondence that they didn’t initiate.
In the saddest cases, victims, especially senior citizens, are defrauded by friends and family members. Even at home, people must secure their health information and shred all out-of-date documents.