Identity thieves target medical records
According to legal experts, thieves use medical information to get credit card numbers, drain bank accounts or falsely bill Medicare and other insurers, reported USA Today.
Hospitals and other medical settings often encrypt data and take other steps to protect privacy, but “people are acting with increasing sophistication to steal information,” Stuart Gerson, a Washington, D.C.-based attorney who represents healthcare firms, told USA Today.
Those intent on crime “attempt to gain the assistance of insiders” and use new methods to capture data from files, even those that are encrypted, Gerson said.
Pam Dixon, executive director of the advocacy group, World Privacy Forum, told USA Today that “sophisticated crime rings” often can obtain more money by stealing medical identities than by pursuing individuals’ bank accounts or credit cards. “If you steal someone's medical identity, then multiply that by 100 or 1,000 other thefts [and falsely bill in the name of the victim] you can make hundreds of thousands, if not millions, of dollars,” Dixon said.
In 2007, a coordinator at the Cleveland Clinic was convicted of identity theft, computer fraud and other charges after downloading patient information and selling it to a cousin, who submitted more than $2.5 million in phony bills to Medicare, reported USA Today.
In April, a former employee at New York-Presbyterian Hospital/Weill Cornell Medical Center in New York City was charged by the U.S. Attorney for the Southern District of New York with accessing approximately 50,000 patient records for the purpose of selling personal information.
Last week, a former administrative specialist at UCLA Medical Center in Los Angeles was indicted by a federal grand jury for allegedly selling medical records of celebrity patients to the media, according to an unsealed court document.
USA Today reported that the false information from fake billings can end up in patients' medical files—and creditors might seek payment from the patients. Until the creditors call, patients might not know their medical information has been accessed.
In a recent survey of 263 healthcare providers, 13 percent revealed that their facility had experienced a data breach. Of those, 48 percent indicated that "reprimanding the employee" is an effective breach response, while 11 percent offer education as a solution, according to the HIMSS Analytics and Kroll Fraud Solutions survey. The survey also noted that of the 13 percent, 35 percent said that the security policy did not change after the incident.
In January, California began requiring that consumers receive notice when their medical information is improperly accessed. It is only the second state, besides Arkansas, to do so, Dixon told USA Today.
Similar legislation, written by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., is being debated in Congress, according to USA Today.