Menu Close

In 2013, the health care industry experienced more data breaches than it ever had before, accounting for 44% of all breaches, according to the Identity Theft Resource Center. It was the first time that the medical industry surpassed all others, and stood in stark contrast to the financial services industry, which represented just 3.7% of the total.

Identity theft is so pervasive in health care that, according to a 2013 ID Experts data security survey of 91 healthcare organizations, 90% of respondents had experienced a data breach in the previous two years and 38% had had more than five incidents. The leading causes of a breach are typical for any business: a lost or stolen computing device, an employee error, a third-party snafu. There’s also “Robin Hood fraud,” in which someone knowingly gives a friend or family member information to fraudulently receive health care. But one cause has grown in importance: Criminal attacks have doubled in the last four years, according to the survey. (A good example: the theft of 4.5 million records this month at hospital operator Community Health Services.)

Rick Kam, president and cofounder of ID Experts, a company that helps health organizations prevent and respond to breaches, says his team has been tracking crime rings that have been prosecuted in the last year for medical fraud. “Essentially, criminals have come to understand that using your medical credentials – your name, Social Security Number and health insurance numbers – to order goods and services that are never delivered and to bill organizations like Medicare and Medicaid, those activities are more profitable than drugs, prostitution, and other crimes they may pursue.” For this reason, medical identities are 20 to 50 times more valuable to criminals than financial identities. What could exacerbate the problem is the digitization of health information found in electronic records, mobile devices, and health exchanges.

Estimates of annual United States medical fraud range from $80 billion to $230 billion. Health care organizations who suffer breaches are subject to costs that average to $2 million over two years, according to estimates. This is why the health care industry and related players are starting come together to tackle prevention. It is a formidable task: With so many potential avenues for information to be lost, so many different institutions from which to steal data, and so many ways of perpetrating fraud at other organizations – not to mention the lack of a central database for reporting such fraud – the industry is a long way from being as impenetrable as the financial services industry.

Steven Toporoff, an attorney in the division of privacy and identity protection at the Federal Trade Commission, says that people who suspect financial fraud can get free copies of credit reports and can put on a fraud alert under federal law or a credit freeze in most states to halt fraudulent activity. “There are ways to block erroneous items from their credit report,” he says. “There are also remedies if you have a bank account and monies were withdrawn. There are protections for credit cards. In the financial world, we’ve been dealing with these problems for years. Unfortunately, in the medical world, it has not caught up yet.”

This year, a few dozen businesses (including health care providers such as hospitals, integrated care payer-providers such as Kaiser Permanente, insurers, credit companies, and digital security companies) formed the Medical Identity Fraud Alliance. The industry group is focusing on three key tasks: develop best practices to prevent medical identity theft and fraud for providers, payers, information management companies, and regulators; educate consumers, providers, and third-party vendors; and influence relevant legislation and regulations.The group aims “to take an enterprise-wide approach,” says Ann Patterson, MIFA’s senior vice president and program director. A company can’t just relegate the task of theft prevention to one executive or department like the chief information officer, fraud investigator, or HIPAA privacy office, she says. “It’s everybody together, down to someone in the mail room.”

Larry Ponemon, chairman and founder of the Ponemon Institute, a cyber security research firm, says health care companies aren’t prioritizing information security enough. For instance, he says, if you call and report a lost health insurance card, most companies will reissue you a card with the same number, whereas a credit card company would issue you a card with a new one. “The insurance industry could do a better job to make sure the credential is state of the art, that it isn’t just a piece of plastic but has information about you or could even in fact be a biometric or even a retina or facial scan,” Ponemon says. He adds that health companies could also adopt the behavioral analysis used by financial companies to determine whether charges or activities fall into an unusual pattern. The health care industry could take one more page from the financial services identity theft prevention playbook: adopt the U.S. Federal Trade Commission’s Red Flags Rule, which requires businesses and organizations to develop and implement procedures to detect suspicious activities or patterns of behavior that suggest identity theft. Some measures are as simple as asking for photo identification.