Attacks/Breaches
8/21/2013
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Consortium Formed To Cure Rise In Medical ID Fraud

Medical Identity Fraud Alliance debut a sign of the times as attackers set sights on valuable patient insurance and other health records

A U.S. public-private alliance co-founded by Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center, and others will officially launch next month to fight medical identity theft amid a sickening spike in this form of fraud.

The new Medical Identity Fraud Alliance (MIFA), whose other founders include the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts, is aimed at combating medical ID theft by getting together key players and establishing solutions and best practices, technologies, research, as well as educating and helping empower consumers to better protect their increasingly targeted health information. MIFA will also provide a venue for information- and attack intelligence-sharing.

The FBI and U.S. Secret Service will participate in a liaison capacity with MIFA, and the alliance has reached out to both the Federal Trade Commission and Department of Justice. "Medical identity theft is being called the fastest-growing type of fraud," says Robin Slade, a development coordinator for MIFA, who hails from the fraud-detection side of the financial services industry. "It contributes to the increasing cost of health care."

Slade says there were 1.85 million victims of medical ID fraud last year, but most insured adults are unaware of this new form of crime, which comes with the added risk of physically endangering the victim.

"Unlike financial identity theft, medical identity theft holds life-threatening impacts. If you are rushed to the ER with appendicitis and your records show you've already had your appendicitis removed," for example, or your records show a discrepancy in blood types, the consequences are dangerous, she says.

Some 40 percent of medical ID theft victims have had their health insurance canceled due to fraudulent charges; victims spend thousands of dollars and more than a year's worth of time trying to recover from the fraud, says Bill Barr, a development coordinator with MIFA and co-founder of the Smart Card Forum.

Medical identity theft typically stems from individuals sharing their insurance or other medical information with family or friends, or when health-care organizations suffer breaches that expose patient data. Some 94 percent of U.S. health-care organizations have been hit by at least one data breach, and close to half have suffered more than five breaches in the past two years, according to The Ponemon Institute's Third Annual Benchmark Study on Patient Privacy & Data Security, published late last year, which was commissioned by ID Experts, one of the co-founders of MIFA.

While about half of victims of medical ID fraud know the perpetrators who abuse their information -- typically a family member or friend -- according to Ponemon's data, cybercriminals are increasingly targeting this type of information, too. Underground forums sell packages of stolen information on victims, including so-called "kitz" that include bank account credentials, Social Security numbers, health insurance credentials, and phony driver's licenses or other IDs. These sell for $1,200 to $1,300, according to Dell SecureWorks, which recently uncovered some of these scams.

Health insurance credentials go for about $20 apiece, plus another $20 for dental, vision, or chiropractic plans, for instance. Buyers are using the health insurance information to get free medical services, drugs, and surgeries, according to Dell SecureWorks.

"There's a marketplace out there for medical-protected health information and medical identity information. It runs all the way from relatively small stuff, like I let my brother use my insurance card to get a flu shot, and it goes up to criminal organizations putting out complete ID kits so people with expensive medical procedures can get it for free," MIFA's Barr says.

In one case cited in Ponemon's study, fraudsters ran up more than $100,000 in medical expenses using stolen credentials, he says.

[Stolen medical identity "kitz" come complete with health insurance info, banking information, physical copies of credit cards, and more. See Hackers Hawk Stolen Health Insurance Information In Detailed Dossiers.]

A perfect storm is brewing for medical ID fraud with the nationwide move to electronic health records, combined with the new health-care law yielding new health-care exchanges and newly insured Americans, Slade says. "It's a combination of the 'electronification' of the data and the increase in data breaches. Plus most consumers are unaware that this [threat exists]," she says.

The alliance plans to work with the health-care ISAC (Information Sharing and Analysis) organization and other groups, she says, and provide a forum for information and intelligence-sharing, as well. "There's a lot to be learned by sharing information with each other in a sanitized approach. This is something the financial services industry put in place, and it made a significant difference in thwarting fraud," Slade says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 6:13:45 PM
re: New Consortium Formed To Cure Rise In Medical ID Fraud
Information security is certainly a big topic when talking about health IT and the implementation of HIEs to share data with other providers. With most data being electronic, hackers are going to be more of a threat, as we can see in the article, so security standards need to be implemented and attested to. Having this group of organizations sharing ideas and expertise should hopefully lead to this increased security, but as we have all learned in the past, hackers can find a way into most any electronic system if they really want to.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.