BreachExchange mailing list archives
Beware of the medical identity theft epidemic
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 15 Sep 2014 18:37:34 -0600
http://www.freep.com/article/20140913/FEATURES08/309130054/medical-ID-theft Within the past few weeks we have seen the hacking of the Affordable Care Act's HealthCare.gov as well as a massive data breach at Community Health Systems, a hospital chain with medical facilities in 29 states in which the records of 4.5 million patients of Community Health Systems' hospitals including names, addresses, birth dates and Social Security numbers were stolen. Despite government assurances that the recent hacking of HealthCare.gov did not compromise the security of the personal information of enrollees and the hack was confined to a server that was not supposed to be connected to the Internet, many security experts continue to have doubts about the security of the HealthCare.gov website. And why wouldn't they? In June, Access Health Connecticut, which operates the Affordable Care Act in Connecticut disclosed that a backpack of an employee of Maximus, the company providing call center services for Access Health, containing handwritten personal information on 400 Obamacare enrollees was found left on a Hartford street. The information contained included names, Social Security numbers and birth dates of Connecticut enrollees. And therein lies much of the problem with this large bureaucracy. The Affordable Care Act involves not just multiple government agencies, but numerous private contractors as well. As my grandmother used to say, "I can keep a secret; it's the people I tell that can't keep a secret." So who are these people? Unfortunately, in many instances, we don't know because the Affordable Care Act does not require that Navigators, the employees who enroll applicants undergo criminal background checks. Although some individual states have their own rules requiring background checks of potential Navigators, many do not. As for Community Health Systems, their computers were hacked by Chinese identity thieves who stole personal information exploiting the infamous Heartbleed security flaw in the Open SSL encryption security technology discovered last April that is used by as many as two-thirds of websites on the Internet. As much as data breaches at companies such as Target and Home Depot make headlines, according to the Ponemon Institute's Annual Study on Patient Privacy and Data Security the health care industry accounted for 44% of all data breaches in 2013, the most, by far, of any sector of the economy. In fact, a survey done by the security firm ID Experts found that 90% of health care organizations polled had suffered a data breach during the past two years with 38% having had more than five data breaches during that period. Twice this year, the FBI has warned the health care industry that they are a prime target of hackers and that the industry's security measures were not adequate to meet the threat. Identity theft from medical institutions can impact you in a number of ways. First, the information can be used to access your medical insurance, incurring large medical bills in your name that may not be covered by your medical insurance and collection companies will come after you for payment. Second, as with other types of identity theft, bad debts incurred in your name by an identity thief can have a disastrous effect on your credit report, which in turn can affect your life in so many ways, from getting a job, to getting a loan to being able to buy insurance. Third, and most frightening however, is that your medical records can be mingled with the medical records of the identity thief, which can result in your receiving improper care, such as a blood transfusion of the wrong blood type. You also may find it difficult to access your health insurance as coverage amounts on your policy are used by people other than you, making it more difficult to get the benefits of your own policy. What can you do? 1. Your Social Security number is a key to identity theft. Most health care providers routinely ask for it, but they often do not need it. In fact, in many instances, they are only asking for it to assist them in collecting an overdue bill from you. If your health care provider requests your Social Security number, ask if they are willing to accept your driver's license or some other identifying number. 2. Shred documents with personal information such as old medical records that you have at home and don't need. Otherwise, dumpster-diving identity thieves can go through your trash and turn it into their gold. 3. Although they are almost impossible to decipher, carefully review the poorly named "Explanation of Benefits" that you get from your health insurer to make sure that all charges were incurred by you. Often people just look at the bottom line and if they see that they do not owe anything, they fail to read the rest of the form. 4. Just as you should regularly check your credit report, you also should regularly check your medical records to make sure that there are not mistakes. 5. Never give your medical insurance information or any personal information to anyone over the phone or online unless you are absolutely sure that they are legitimate. Medical identity thieves pose as employees of your insurance company or your doctor. When it comes to protecting yourself from identity theft, the place to find a helping hand is at the end of your own arm.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Beware of the medical identity theft epidemic Audrey McNeil (Sep 19)