Thieves target health insurance policy numbers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.kansas.com/2014/02/10/3275820/thieves-target-health-insurance.html

Most of us tightly guard our credit cards and bank account numbers, but
health insurance policy numbers are also prime targets for thieves. An
estimated 1.84 million people were victims of medical identity theft in
2013, according to the Poneman Institute, a research organization, which
expects that number to rise.

Victims often don't realize they've been targeted until they discover a
drop in their credit score or until a collection agency comes after them
for unpaid medical bills, said Jim Quiggle, director of communications for
the Coalition Against Insurance Fraud, a group that includes insurers,
consumer activists and government officials. While most of the cost of
medical identity theft is borne by the health care industry and government,
the Poneman Institute estimates that about 36 percent of victims in 2013
incurred out-of-pocket costs such as reimbursements for services provided
to impostors, legal fees and identity protection services. The average cost
for these victims amounted to $18,660; in a few cases, it exceeded $100,000.

Medical identity theft can happen in several ways. In one common scenario,
the criminal persuades a consumer to divulge his health insurance number.
Strategies for collecting these numbers can be highly sophisticated,
especially when crooks operate in teams, Quiggle said. "They might invite
seniors to bogus health fairs where they take their blood pressure and give
them some nutritional supplements and ask to see their Medicare cards."

Jennifer Trussell, who investigates medical identity theft for the
Department of Health and Human Services' Office of Inspector General, has
seen cases where criminal rings target senior centers or homeless shelters
and offer people $50 for, say, their Medicare number. "That information is
sold again and again," she said.

Even though the victims in these instances voluntarily share their numbers,
they may not realize the impact, Quiggle said. "They'll discover to their
horror that their Medicare account is being rifled and even maxed out by
thieves who are making false claims against their policy."

Some cases are perpetrated by employees of medical offices or even health
care providers. Trussell worked on a case involving an Iowa chiropractor
who had lifted the names and dates of birth of more than 200 patients to
collect fraudulent Medicaid payments. In another case, a Baltimore pharmacy
owner and two employees were indicted for allegedly submitting bogus claims
for prescription refills to Medicaid and Medicare.

Sometimes medical identity theft happens with the cooperation of the
victim, who allows a family member or acquaintance to use his health
insurance card to obtain care. Poneman Institute founder Larry Poneman said
these "Robin Hood" crimes made up 30 percent of the medical identity thefts
his group studied in 2013.

Giving your insurance number to someone in need might seem like a generous
thing to do, but it's still a crime and you could suffer consequences if
the visits rack up bills that go unpaid or result in incorrect additions to
your medical records, Poneman said. If an impostor's blood type or medical
condition gets added to your record, you could end up receiving
inappropriate or even life-threatening treatment.

Electronic medical records make your medical data easier to steal, because
any clerk with access to patient records can load patient information onto
a thumb drive and sell it to cronies or crime rings, Quiggle said. And
because the Internet makes electronic records easy to share, tracking down
all the providers who have received incorrect data can be difficult.

So how do you protect yourself? Never give your medical identity
credentials to anyone but those with a legitimate reason for needing this
information, such as the billing person at your doctor's office, Quiggle
said. Treat with suspicion anyone who asks you for your insurance number
without a good reason, and never give these numbers to telemarketers or
callers conducting "health surveys."

Closely scrutinize the "Explanation of Benefits" or "Medicare Summary
Notice" documents that are sent to you to make sure that you actually
received the services and products listed, he said.

If you see anything suspicious, ask to see your medical record to look for
mistakes or evidence that your identity has been compromised. "A lot of
people don't realize that they have the right to read their medical
records," Poneman said. He recalls a case where a woman who stood more than
6 feet tall went in for bypass surgery; her medical record, however, showed
that she was just over 5 feet tall because, unbeknown to her, an impostor
had used her identity to receive care. Had she been given anesthesia and
other drugs based on the impostor's size, she could have faced serious
problems with the surgery.

Think twice before sharing detailed medical information on social media,
Trussell said. Posting a medical diagnosis on social media is akin to
posting your address along with the dates that you'll be away on vacation.
An impostor could use that information to obtain services that might not
raise red flags with your insurer. For instance, if you tweet about your
diabetes diagnosis, Trussell said, it's possible that "next thing you know,
you're getting diabetes test strips you didn't order or receive billed to
your insurance company."

If you discover that your medical identity has been stolen, your first step
should be a call to the police, Ponemon said. Next, call the Federal Trade
Commission's identity theft hotline, 877-ID-THEFT, or report the problem
online at www.ftc.gov/idtheft. Report Medicare- or Medicaid-related crimes
to oig.hhs.gov/fraud/hotline or by calling 800-HHS-TIPS.


Read more here:
http://www.kansas.com/2014/02/10/3275820/thieves-target-health-insurance.html#storylink=cpy

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!