Is Medical Identity Theft the new frontier for Identity Theft?
More and more healthcare organizations rely on the collection and use of personal data via online platforms to provide care and perform mission-critical functions.
This is a wonderful development. It’s important for Doctors to be able to share your health needs, diagnoses, and treatment information with each other. It’s nice when you don’t have to carry a bulging folder of your medical testing results every time you go in to see a Specialist, because they can access your medical file from their computer. In an emergency, it’s especially important that Doctors have the fastest possible access to medical information.
However, putting the information on a digital platform also invites new security issues, especially since hospitals are relatively new to cybersecurity. Cybercriminals recognize an opportunity to profit and will continue to exploit security gaps to steal and make money from the same information the patient appreciates having access to online.
One reason criminals like Medical Identity Theft is the amount of time it takes before a patient or their provider notices that something is amiss.
This makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected by the system.
There is no Medical Identity Fraud detection system in place yet, which makes it easier for criminals to get to the data. The data is also accessible to many hospital personnel. All it takes is one corrupt account.
“Healthcare providers and hospitals are just some of the easiest networks to break into,” said Jeff Horne, vice president at cybersecurity firm Accuvant, which is majority-owned by private equity firm Blackstone Group.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC.
“Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Cybercriminals can use a patient’s stolen medical information to access their services or other resources, open bank accounts, make online transactions, apply for loans or credit cards, file tax returns to collect rebates, damage the victim’s reputation, expose private information to the public, blackmail the victim with details that should have been kept private, and cause various forms of personal distress.
They can sell the information in bulk on the Dark Net. According to a survey of customers in 2015, medical records and other health information are estimated at $82.90 apiece for U.S. consumers, while a Social Security number is worth $55.70. Payment details, physical location information, home address, marital status, as well as name and gender information are pegged at $45.10, $38.40, $17.90, $6.10 and $2.90, respectively.
NEW YORK/BOSTON (Reuters) 2014- “Your medical information is worth 10 times more than your credit card number on the black market.”
Bitglass, a security company made the decision to ‘bait’ cybercriminals and then follow the bread crumbs to see how quickly the data traveled on the Dark Net.
In the twelve days that the company monitored the transmissions, they watched the data travel to over twenty two different countries. It was viewed almost 1,100 times.
The information was spread mainly over North America, Europe, Africa, Asia and South America. There were forty seven different parties involved in downloads, mostly in Nigeria, Brazil and Russia, with the highest percentage in Nigeria and Russia.”
(Check the end of this article for link to read more.)
Criminals can even use medical profiles to compromise corporate accounts and use them as gateways to breach more networks.
The effects of medical identity theft are frighteningly far-reaching, costing the victim, the healthcare organization, and probably even taxpayers time, money, and aggravation.
According to the Ponemon Institute, 65 percent of medical identity theft victims spent an average of $13,500 to pay the healthcare bills run up in their name, to recover their health insurance, and to pay lawyer’s fees, among other things.
They also found that it took an average of more than three months for victims to even detect the fraud, and more than 200 hours to undo the mess
Ann Patterson is a senior vice president of the Medical Identity Fraud Alliance (MIFA), a group of several dozen healthcare organizations and businesses working to reduce the crime and its negative effects. She reported that approximately 20 percent of victims have told the company that they got the wrong diagnosis or treatment, or that their care was delayed because there was confusion about what was true in their records due to the identity theft.
The repercussions of a data breach for a healthcare organization are daunting.
There is the loss of reputation and patient trust. There is also a risk of huge revenue losses from expenses needed to cover the forensic investigation and mitigation of damages caused by the breach. There are also billing issues for fraudulent billing, and costs involved to provide victims of the crime with reparational support.
Healthcare providers can also be served with civil and criminal penalties in line with the Omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA), with fines that range from $100 to $50,000 per violation (or per record) and an annual maximum of $1.5 million.
On top of all that, recent attacks prompted policy makers to push for more stringent guidelines that will be mandated to the healthcare industry in line with HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) in terms of averting the unauthorized exposure of private information.
The one thing that healthcare experts don’t want is to completely lock up our medical data.
Ironically, there are certain kinds of ransomware cybercriminals use to steal the information that pose operational risks to healthcare facilities. For example, they can deny the Doctor’s access to patients medical data and block the IT functions necessary to providing health care services. So if the security doesn’t keep the data locked, the ransomware can cause it to lock up- and security won’t be the ones with the key.
It’s a wild, wild world out there.
Document Shredding, anyone?
We at MedWaste Management are here to serve and protect healthcare consumers as best we can. We offer Medical Waste Disposal Services and Document Shredding Services.
Call us today to start service! We are always happy to speak! (866) 254-5105