In this interview with Help Net Security, Paige Hanson, Head of Cybersecurity Education at NortonLifeLock, talks about the risks posed by medical identity theft, the repercussions of such criminal activity, and what people and organizations can do to protect valuable medical information. .
While the pandemic still shows no signs of stopping, healthcare organizations continue to be an attractive target for cybercriminals. How does this affect patients?
Medical identity theft can be costly. When medical identity theft targets insurers or government programs, the resulting costs can be borne by the general population, through higher insurance costs or increased taxes.
Even more concerning than the possible financial cost of medical identity theft is the potential risk it poses of mixing an identity thief’s health information with your own. This could ultimately put your care at risk the next time you receive medical treatment. For example, you might be given medications to which you are allergic.
What techniques do cybercriminals use to steal medical IDs?
A cybercriminal needs your personal information to commit medical identity theft against you. This information may include your social security number, name, date of birth, and other personally identifiable information (PII). The thief may also use your PHI, or personal health information, including your health data and your medical and prescription history.
Something as simple as a lost wallet — with your Social Security card inside — could lead to medical identity theft. The criminal uses this card and other information in your wallet to get medical attention at a doctor’s office or in the emergency room. Thieves may also obtain the information as a result of data breaches affecting health insurance companies and other entities. Often the hacked data ends up for sale on the dark web. It is important never to give out your personal information over the phone or by email unless you initiated the communication, as this is also a common technique for stealing medical information.
How do cybercriminals profit from medical identity theft?
Cybercriminals can use your personal information to obtain medical services, treatments or medicines. They may also fraudulently bill insurers or government programs for medical goods and services without your permission.
Patients and providers can commit fraudulent medical claims, depending on the circumstances. Consumers steal insurance information to cover benefits that their insurance may not include, or because they have no insurance. Providers may also file fraudulent claims against an individual’s insurance for reimbursement for procedures they never performed to offset the cost of treating uninsured or underinsured clients.
What should healthcare organizations do to combat medical identity theft?
Healthcare organizations are responsible for the proper handling of their patients’ medical information. Here are some steps organizations can take to support patients who are victims of medical identity theft and to prevent data breaches:
- Investigate: If your organization receives a call from a patient claiming to have been billed for services she did not receive, review your records for services performed and any supporting documentation. If you determine that identity theft has occurred, notify everyone who has accessed the patient’s medical records and ask them to correct the records.
- Provide data breach notifications: If you determine that your organization has improperly used or shared protected health information, you must notify patients if a breach has occurred.
- Review your data security practices: Even if the information used to commit the fraud does not come from your organization, it is a good idea to periodically review your data security practices.
Is there anything people can do to protect themselves against medical identity theft?
Fortunately, there are steps you can take to protect yourself against medical identity theft.
- Obtain a copy of your medical records: Under federal law, you have the right to know what is in your medical records, except in certain circumstances. Ask your doctors for a copy of your medical records so you have all your documents in case you need to report identity theft.
- Check your explanation of benefits and credit report: You will receive explanatory documents on the benefits each time you consult a doctor and pay with the insurance. EOB documents show the services you received and what the insurer covered. When you receive one of these summaries, compare it to your own records. If the service date, provider name and service provided do not match the care you received, this may be a problem. Another red flag? Open an EOB for a service you never received.
- Protect your medical information: Do not share medical or insurance information over the phone or email unless you initiate the communication and know who you are dealing with. Also, make sure your practice’s website is secure (check the “https” in the URL) and if you stop seeing a provider, you can request that your personal information be removed from their systems.