Beware of the medical identity theft epidemic

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.freep.com/article/20140913/FEATURES08/309130054/medical-ID-theft

Within the past few weeks we have seen the hacking of the Affordable Care
Act's HealthCare.gov as well as a massive data breach at Community Health
Systems, a hospital chain with medical facilities in 29 states in which the
records of 4.5 million patients of Community Health Systems' hospitals
including names, addresses, birth dates and Social Security numbers were
stolen.

Despite government assurances that the recent hacking of HealthCare.gov did
not compromise the security of the personal information of enrollees and
the hack was confined to a server that was not supposed to be connected to
the Internet, many security experts continue to have doubts about the
security of the HealthCare.gov website.

And why wouldn't they?

In June, Access Health Connecticut, which operates the Affordable Care Act
in Connecticut disclosed that a backpack of an employee of Maximus, the
company providing call center services for Access Health, containing
handwritten personal information on 400 Obamacare enrollees was found left
on a Hartford street. The information contained included names, Social
Security numbers and birth dates of Connecticut enrollees. And therein lies
much of the problem with this large bureaucracy. The Affordable Care Act
involves not just multiple government agencies, but numerous private
contractors as well. As my grandmother used to say, "I can keep a secret;
it's the people I tell that can't keep a secret."

So who are these people?

Unfortunately, in many instances, we don't know because the Affordable Care
Act does not require that Navigators, the employees who enroll applicants
undergo criminal background checks. Although some individual states have
their own rules requiring background checks of potential Navigators, many
do not.

As for Community Health Systems, their computers were hacked by Chinese
identity thieves who stole personal information exploiting the infamous
Heartbleed security flaw in the Open SSL encryption security technology
discovered last April that is used by as many as two-thirds of websites on
the Internet.

As much as data breaches at companies such as Target and Home Depot make
headlines, according to the Ponemon Institute's Annual Study on Patient
Privacy and Data Security the health care industry accounted for 44% of all
data breaches in 2013, the most, by far, of any sector of the economy. In
fact, a survey done by the security firm ID Experts found that 90% of
health care organizations polled had suffered a data breach during the past
two years with 38% having had more than five data breaches during that
period. Twice this year, the FBI has warned the health care industry that
they are a prime target of hackers and that the industry's security
measures were not adequate to meet the threat.

Identity theft from medical institutions can impact you in a number of
ways. First, the information can be used to access your medical insurance,
incurring large medical bills in your name that may not be covered by your
medical insurance and collection companies will come after you for payment.
Second, as with other types of identity theft, bad debts incurred in your
name by an identity thief can have a disastrous effect on your credit
report, which in turn can affect your life in so many ways, from getting a
job, to getting a loan to being able to buy insurance. Third, and most
frightening however, is that your medical records can be mingled with the
medical records of the identity thief, which can result in your receiving
improper care, such as a blood transfusion of the wrong blood type. You
also may find it difficult to access your health insurance as coverage
amounts on your policy are used by people other than you, making it more
difficult to get the benefits of your own policy.

What can you do?

1. Your Social Security number is a key to identity theft. Most health care
providers routinely ask for it, but they often do not need it. In fact, in
many instances, they are only asking for it to assist them in collecting an
overdue bill from you. If your health care provider requests your Social
Security number, ask if they are willing to accept your driver's license or
some other identifying number.

2. Shred documents with personal information such as old medical records
that you have at home and don't need. Otherwise, dumpster-diving identity
thieves can go through your trash and turn it into their gold.

3. Although they are almost impossible to decipher, carefully review the
poorly named "Explanation of Benefits" that you get from your health
insurer to make sure that all charges were incurred by you. Often people
just look at the bottom line and if they see that they do not owe anything,
they fail to read the rest of the form.

4. Just as you should regularly check your credit report, you also should
regularly check your medical records to make sure that there are not
mistakes.

5. Never give your medical insurance information or any personal
information to anyone over the phone or online unless you are absolutely
sure that they are legitimate. Medical identity thieves pose as employees
of your insurance company or your doctor.

When it comes to protecting yourself from identity theft, the place to find
a helping hand is at the end of your own arm.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!