NEW YORK (MainStreet) — Several years ago, an identity thief was caught in a hotel room with a half-million stolen identities, including Social Security numbers. How did he get them? He hacked into a medical practice in California. But it was not some complicated hack; he gained access to the files by simply typing in the most common password: "admin."
What this low-level thief had in his hotel room was equal to the population of Miami, says Neil O'Farrell, CreditSesame.com's security and identity theft expert.
According to the Fifth Annual Study on Medical Identity Theft from the the Medical Identity Fraud Alliance, the number of Americans affected by medical identity theft increased nearly 22% in the past year, an increase of nearly a half-million victims since 2013. And that's not even including the freshly affected 80 million whose Social Security numbers were stolen in the Anthem Blue Cross Blue Shield data breach this past February.
Why your Social Security number is gold
The data in your medical files have a high dollar value for thieves, says Ann Patterson, MIFA's program director. "Law enforcement tells us stolen credit card or bank account information sells for pennies or dollars. But health data sells for high dollar amounts because it contains the gatekeeper to your entire identity — your Social Security number."
Each bit of information in your medical file is exploitable in many ways, but the complete record is worth a lot. Once thieves have an address, date of birth and Social Security number they can commit traditional identity fraud such as financial account openings; with your complete health plan information, they can commit even bigger crimes with fraudulent medical billing, government benefit fraud and prescription fraud in your name, Patterson says.
The Anthem breach kicked medical identity fraud up several notches. Anthem's CEO announced in a press release that the breach exposed member's names, addresses, email addresses, dates of birth and Social Security numbers.
It's easy to change credit card numbers, debit card numbers and bank account numbers, but it's impossible to change your birth date, ridiculous to have to move your address and extremely difficult to change your Social Security number, O'Farrell points out.
"That means the stolen personal data is as valuable today as it is in 20 years, because it never changes," O'Farrell says. "Simply stealing a credit card number doesn't lead to true identity fraud. But stealing a person's name, address, date of birth and Social Security number encompasses all four required data points on any credit application."
Your Social Security number should not be your only identity marker
Michelle Katz, licensed practical nurse and author of Healthcare Made Easy, thinks the problem lies in the increasingly common use of the Social Security number — created back in 1935 for Social Security record-keeping and federal taxes and never intended as the all-purpose ID it has become. Even the Veteran's Administration and Medicare have applied it as the member number on a member card. (Last year, the VA removed it.)
Patterson says there are other identifiers that can be used by hospital groups, health plans and technology providers to the health industry, many of which are moving to biometric identifiers such as fingerprints. One, called the CrossChx System, scans patients' fingers to generate a unique code linking them to their medical records so no one else can use them. CrossChx is used in more than 50 hospitals at 200-plus locations across Ohio, West Virginia, Pennsylvania, Kentucky, Indiana, Illinois and Michigan.
"If only we could get the health industry and the government benefits programs to quit using the Social Security number, that would make the stolen information much less valuable to thieves," Patterson says.
So where is your Social Security number at risk for medical identity theft?
Online. O'Farrell points to one large online vulnerability: Healthcare.gov, which is connected to other federal and state websites containing personal health and identifying information. "There's so much room for error by any one weak link in the chain such as an untrained, careless, disgruntled employee or thief," he warns.
In fact, the Obama administration acknowledged that roughly 800,000 Obamacare enrollees got the wrong subsidy information on their 1095-A tax forms sent by healthcare.gov in February — not through fraud or a breach, but because of a simple mistake: The system used 2015 insurance information instead of the correct 2014 information for the tax forms, according to the Centers for Medicare and Medicaid Services, claiming only the forms were wrong and the actual subsidy amounts were calculated correctly.
Those affected should have been notified by the Department of Health and Human Services, which runs healthcare.gov, and received a "corrected" form 1095-A during March.
At doctor's offices. Katz says doctors don't need your Social Security number. "When doctors submit claims to Insurance they use your unique subscriber member number printed on your health insurance card. The only reason they ask for your Social Security number is if they need to send you to collections if you don't pay your bill."
And that information is easily stolen from the doctor's office, O'Farrell says.
At home. Yes, that's right. Twenty-five percent of medical identity theft victims in the MIFA study knowingly let a family member or friend use their personal identification to get medical services and products, and 24% say a member of the family used the credentials without their consent.
The main reasons: The recipient did not have their own medical insurance (91%), could not afford to pay for treatments (86%) or used it in an emergency (65%).
Patterson hopes that as the Affordable Care Act progresses and more Americans get coverage, this type of medical identity fraud might lessen.
In insurance company databases. O'Farrell says the Anthem breach, which was perpetrated by a simple phishing email clicked on by an employee (similar to the malware sent in emails that caused the Target and eBay breaches last year) showed these health care companies have gold mines of information and appalling security. "The Anthem data wasn't encrypted," O'Farrell says. "Encrypting the most sensitive data would have given it the best protection possible, but there was no law requiring it, so Anthem just didn't bother."
Just say "No."
While you can protect your data online, you have no control over data breaches at companies you do business with. That's why Katz never gives her Social Security number if she can avoid it. Several years ago, on her way to the gym on foot and without her purse, she was hit by a car and landed in the emergency room with no identification. "In the ER, they were hounding me for my Social Security number. But I couldn't give it to them because I was knocked out from the accident. I never gave it to them and they billed me just fine using a medical record number they generate temporarily for each patient."
"If you have a health insurance member number, there is no justifiable reason for you to give your Social Security number too," Patterson says.
Katz advises you avoid giving the number at all costs — to leave it blank on medical forms and wait to be asked for it. If you are, challenge why it is needed. Say you are worried about identity theft and ask how else you can be identified (such as by an insurer member number). "Remember, hospital emergency departments have a federal mandate to treat patients regardless of their ability to pay, so they can't turn you away for not giving out your Social Security number," Katz says.
— Written by Naomi Mannino for MainStreet