NEW YORK (MainStreet) — Credit card related data breaches get all the headlines - but there is a bigger, more worrisome threat to your safety and privacy, multiple experts insisted to Mainstreet, and they pointed to medical identity theft.
“Health care files contain a lot more than your medical information," said Art Gross, CEO of HIPPA Secure Now. "They also have substantial personal information such as your Social Security number in many cases.”
Want vivid proof? Brian Beyer, CEO at security company Red Canary, said that in online criminal marketplaces the going rate for a valid - stolen - credit card is perhaps $2. For a medical file, it’s $50.
Crooks are using stolen medical records to file bogus federal tax returns - perhaps in your name! Other crooks are getting medical services on your account. And just maybe the biggest abuse, said Beyer, is mass filing of bogus insurance claims by crooked medical providers. He added: “You have to assume that possibly your medical files have been breached.”
The bad news: there probably is not much you can do to protect yourself although what steps you can take are down the page.
First: here is how bad matters are. Most doctors and even many hospitals are miserable at data protection. In its fifth annual study of the security of healthcare data, Ponemon Institute reported that “more than 90% of healthcare organizations represented in this study had a data breach, and 40% had more than five data breaches over the past two years.”
Ponemon also claimed that medical ID theft has doubled in five years, from 1.4 million adult victims to 2.3 million in 2014.
Slick cyber crooks already are on this. Victims have been huge insurers such as Anthem - where some 80 million customer records apparently were stolen in a cyber attack. Another 11 million were stolen in the Premera breach earlier this year.
But probably more vulnerable - and also tempting to cyber crooks - are small hospitals, even physician and dental practices. All accumulate files stuffed with detailed personal info - from date of birth and Social Security number to family medical history.
And matters look to get worse, before they get better. Fundamental changes are occurring in health care and financial services that probably mean the number of cyber attacks on medical records will vault up, said Beyer. The first reason: financial services company are getting good at defending themselves against cyber crooks. They are perfecting data analytics that are designed to let them detect and shut down fraudulent credit card use almost as soon as it happens.
Medical record fraud is different. “You may never know your information has been breached,” said Gross. Stolen medical identities can be mined for ten or more years, said experts. This is information that does date swiftly. You may get new credit card numbers every year or three. You have had the same Social Security number essentially since birth.
The second reason: medicine is in the midst of a massive shift from paper based record keeping to digital records but providers just are not investing appropriately in security. It used to be the case that a doctor could believe his tens of thousands of paper patient files were safe from crooks, because what were crooks going to do? Bring in a team of movers to cart them away? Now, a few mouse clicks can copy those files and, in many cases, the organization will not even know it has been breached, said Gross.
“Heath care just has not seen IT security as a core competence,” said Carl Wright, general manager at security company TrapX.
That puts an onus of self protection on you. Exactly what can you do?
Don’t assume this is not your problem. Wrong medical information in your files can lead to dramatically wrong medical decisions later. Said identity theft expert Robert Siciliano: “The problem really starts kicking in when the impostor’s medical situation gets tacked onto your medical record—since they are posing as you. This can result in a number of harmful outcomes for you. Not only can it potentially cause misdiagnoses, you could be issued a prescription to a drug that you have a fatal reaction to.”
There also are rising numbers of instances where debt collectors are pursuing innocent victims for co-pays incurred by criminals using stolen credentials, said experts.
The same experts shrug that self defense is not obvious. Said Grayson Milbourne, security intelligence director, Webroot: “I see this issue as somewhat difficult to solve, as there are big differences in security practices between healthcare providers, and consumers should not be expected to grill their doctors on what security practices are being taken.”
But one big tip, offered by multiple experts: monitor claims on your insurance even where there are no co-pays. If your insurance is paying for a $5,000 colonoscopy in New Brunswick, N.J. on a day you know you were on a business trip to Hartford, call in an alert. Something may be up and the quicker it is caught the better for you.
Bottom-line: Stay vigilant about theft of your medical credentials because increasingly that - not credit card info - is what crooks want.
—Written by Robert McGarvey for MainStreet