Attacks/Breaches
9/12/2013
06:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Medical ID Theft Spreads

1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds

Identity theft isn't just credit- and debit-card account or Social Security number theft anymore: Cybercriminals are targeting health insurance and other personal information to peddle or execute medical fraud for surgeries, prescription drugs, and medical equipment. A new report published Thursday shows how quickly this medical identity theft is growing, with 1.84 million Americans falling victim to this form of fraud.

Medical identity theft is costly -- victims paid $12 billion out of pocket last year -- and it can be literally lethal, according to a new report by The Ponemon Group. "Medical identity theft is contributing significantly to the high costs of health care," says Robin Slade, development coordinator for the Medical Identity Fraud Alliance, which, along with ID Experts, commissioned the report. "With financial fraud, you recover most of the losses incurred. But medical identity theft has the potential to impede medical treatment and to potentially kill you. The fraud causes your medical records to be contaminated by the medical information of the perpetrator. And very few consumers are aware of it."

Some 15 percent of medical ID theft victims say the fraud resulted in a misdiagnosis; 13 percent, an inaccurate treatment; 14 percent, a delay in treatment; and 11 percent, the wrong prescription drugs. Half of those patients say those issues have not been resolved, according to the report.

Some 313,000 new cases of medical ID theft were reported last year, and those were only the ones on record: Security experts say many aren't reported. So-called "family fraud" factors into the equation here as well, says Larry Ponemon, chairman and founder of The Ponemon Institute.

Some 30 percent of the respondents say they have allowed a family member to use their personal IDs to receive medical treatment, health care products, or pharmaceuticals, and more than one-fifth of them don't know how many times they have done so. Nearly half of all medical ID fraud victims say they know who stole their identities but didn't want to report the perpetrators. And many don't realize it's illegal.

"It might be for a family member or friend suffering and who needs emergency care and is not insured, so they hand it over [their insurance card], and it's used to steal [services]," Ponemon says. "The family fraud issue is a very troubling finding."

The report underlines one of the big problems with medical ID theft: a lack of understanding of just what constitutes fraud, as well as the growing value of medical information. Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center, the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts last month co-founded the public-private Medical Identity Fraud Alliance to help fight medical identity theft. MIFA aims to unite key players and establish solutions and best practices, as well as educate consumers on how to empower themselves to protect their health information.

[Medical Identity Fraud Alliance debut a sign of the times as attackers set sights on valuable patient insurance and other health records. See New Consortium Formed To Cure Rise In Medical ID Fraud .]

Medical ID theft can take several forms: It can be the result of family fraud, a health care provider's online data breach, or physical theft of equipment storing the information, such as the break-in last month at an administrative office of the largest health system in Illinois, Advocate Medical Group, where thieves stole four unencrypted computers that contained Social Security numbers, health insurance, and other personal information of 4.03 million patients.

Most victims don't know how their medical information was exposed, Ponemon says. "A large segment of folks don' t know how it happened," he says.

Some 56 percent of the victims say they lost confidence in their health care provider in the wake of the fraud experience, and 57 percent say they would drop their providers if they were unable to protect their medical records. But most consumers don't do much to protect their medical information: Fifty-four percent say they don't check their health records because they don't know how to do so and are relying on their health care provider to take care of it, and 52 percent say they didn't report medical claims that appeared inaccurate.

Dan Nutkis, founder and CEO of the Health Information Trust Alliance (HITRUST), says health care organizations increasingly are being targeted by cybercriminals for both financial and medical information. "There's no question about it: There's been an uptick in healthcare [providers] being targeted," Nutkis says.

Attackers are placing and selling backdoors or other malware onto health care organizations' systems for other bad guys to steal information. "They have planted backdoors in health care organizations so they can sell access," Nutkis says.

Alex Balan, head of product management at BullGuard, which offers an online identity protection service for consumers, points to a data dump a few months ago that included victim names, dates of birth, addresses, height, weight, full credit card account information, insurance information, and even the type of cars they drove. "There were 20 to 30 columns for each individual [entry]," Balan says. It was enough information to begin to assume someone's identity.

Social engineering can provide a treasure trove of medical information for fraudsters, he says. "If you're trying to get services from a medical institution or a hospital, you need to know the entire scripts on what you're going to be asked, and what credentials [you will need, for example]," he says.

The full Ponemon 2013 Survey on Medical Identity Theft is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.