Health data breaches could be expensive and deadly

Health-related data breaches could be expensive and life-threatening

doctor holding scalpel 78805804
Credit: Thinkstock

Healthcare-related data breaches could not only be expensive, but also life-threatening, experts say, and traditional credit monitoring provides little protection.

"Credit monitoring for a breach of your identity data, medical or not, is like handing out umbrellas in a tornado," said Alisdair Faulkner, chief products officer at San Jose, Calif.-based ThreatMetrix.

"If I'm a criminal, I can either try to apply for a credit card with a limit of a few thousand dollars, or I can use your identity to access or bill for healthcare worth hundreds of thousands of dollars. How long until we see people being bankrupt by procedures they didn't have, or doctors making the wrong call in a medical emergency due to false medical history?"

According to a 2013 Ponemon study, the most recent available, 1.8 million Americans or their close family members fell victim to medical identity theft, and 36 percent of them faced significant out-of-pocket expenses as a result.

For example, some wound up having to pay full price for medical services or medicines because their medical insurance lapsed, or pay for costs incurred by fraudsters. The average cost? $18,660.

But that's not even the worst thing that could happen.

"If someone gets your medical identity, and uses that to get medical goods, services, prescriptions -- everything they do goes on your personal health record," said Bob Gregg, CEO at Portland, Ore.-based ID Experts, which provides medical identity monitoring services.

Then, the next time you're unconscious in the emergency room, the doctor won't just see your medical history, but that of the fraudsters as well.

"Suddenly, all your preexisting conditions are incorrect," he said. "Allergies, drug interactions."

Claudia Gere, an author consultant based in Massachusetts, was one of the 80 million affected by the recent Anthem breach. She said that learning of the breach made her feel vulnerable and scared.

"When I need to get medication in an emergency and I find that my account has been closed for lack of payment or whatever reason... I think I would be able to dispute the charges," she said.

If it took three months to sort things out, she said, she'd be able to cover her current medications out-of-pocket.

"But for a lot of people, it could be more than an inconvenience," she said. "It could be life threatening."

According to Anthem, the data stolen includes names, dates of birth, member ID and social security numbers, addresses, phone numbers, email addresses and employment information.

"That data could definitely be used for billing fraud," said Andrew Hicks, healthcare practice lead at Denver-based Coalfire.

In fact, medical identity information is significantly more valuable than credit card numbers or social security numbers alone. According to the World Privacy Forum, the former has a street value of around $50 -- compared to a street value of $1 for the latter.

And the average profit per record is $20,000 -- compared to just $2,000 for regular identity theft.

"Generally, prices for stolen health coverage data are an order of magnitude greater than for compromised payment card data," said Don Jackson, director of threat intelligence at Charleston, SC-based PhishLabs.

One reason, according to an EMC white paper about healthcare cybercrime, is that medical information fraud takes twice as long to spot, and is difficult to address.

Bank accounts can be easily closed, and credit cards re-issued, but correcting medical records is a far tougher challenge.

The World Privacy Forum has a list of tips for consumers, which include requesting copies of insurance billing records on a regular basis, filing police reports when there are fraudulent charges, and taking steps to correct the records when discrepancies are found. However, the organizations admits that some of this can be difficult -- in particular, police departments may not even accept a report on crimes outside their jurisdictions.

Meanwhile, many insurance companies do not have the kind of monitoring that credit card companies do to catch unusual behaviors or fraudulent transactions, said ID Experts' Gregg.

According to Gregg, there are three main ways that criminals take advantage of this.

There's the classic medical identity theft where fraudsters print up fake IDs and get medical care on your dime.

Then there's a more profitable billing fraud industry, where fraudsters set up fake clinics and bill your insurance provider for services and treatments you never received.

"It's like having a credit card that you can use to the limits of your policy, which is usually measured in the millions of dollars," he said.

Finally, your medical information can be used to order prescription drugs, which are then resold on the street for a steep markup.

"There are online pharmacies basically set up as pill mills," he said.

They don't care if the prescription itself is valid -- as long as the billing information is correct.

Basic credit monitoring services won't help, he added.

"It might show up as a hospital bill a year from now that you didn't pay," he said.

Gregg's ID Experts is one of the first companies to offer medical identity monitoring services to insurance companies, alerting individual account holders of any new charges on their medical records, and giving them an opportunity to immediately dispute those charges.

The service is currently used by Moda Health, an insurance company based in Portland, Ore., and is currently being piloted by two other firms.

The service is not available to individual consumers.

"We need the claims data feed from the payer to make it effective," he said. "We're trying to figure out how to offer it through other systems, but we can't do it today."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.