Harry Lime Lives! It’s the 1949 Vienna of ‘The Third Man’ when it comes to the black market of medical identity theft. Data breaches are easier than heisting penicillin off an Army Medical Corps truck and far less noticeable–there’s always a lag time in discovery as more than one health system (Community Health System) found. And protected health information (PHI) has value down the line. According to a report cited by FierceHealthIT:
- Simple data comes cheap: names, birth dates and health insurance contract with group numbers fetch a pedestrian $20.
- Add Social Security (SSI) numbers, banking and credit card information, and these ‘kits’ fetch $1,500. These can be used for financial fraud of multiple types or alternate identities.
- Add medical data, and direct marketing data brokers and pharmacy benefit companies are willing to pay. They use it for legitimate (but annoying) purposes, such as targeting those with specific diseases.
- Add physical identification, and the value goes through the roof for fake passports, driver’s licenses and visas.
The ways PHI can be accessed are many: EHRs, paper records, stolen laptops, CDs, accounting systems, provider, insurer and supplier systems, and simple ‘friendly fraud’ where an insured person lends information to a non-insured friend. Ponemon Institute estimated the 2013 cost of US medical data breaches to be about $5.6 billion [TTA 23 April], an amount that will certainly be exceeded in 2014 with the CHS breach.
What can be done? This Editor has written extensively on the need to harden systems (see data breaches). Yvonne Li of SurMD takes a fresh and counter-intuitive look over at HITECH Answers that posits that DIY for organizations is not the way to go. Migrating your data to third-party cloud storage partners experienced in ultra-secure storage is a far better choice, as long as it is encrypted start-to-finish and in a failproof way that she describes so that even a non-IT professional can understand.
What’s behind the dramatic rise in medical identity theft? (Fortune). Also an organization called the Medical Identity Fraud Alliance has published a free report, The Growing Threat of Medical Identity Fraud: A Call to Action (download here).