Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:14 PM
Connect Directly

Medical ID Theft Spreads

1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds

Identity theft isn't just credit- and debit-card account or Social Security number theft anymore: Cybercriminals are targeting health insurance and other personal information to peddle or execute medical fraud for surgeries, prescription drugs, and medical equipment. A new report published Thursday shows how quickly this medical identity theft is growing, with 1.84 million Americans falling victim to this form of fraud.

Medical identity theft is costly -- victims paid $12 billion out of pocket last year -- and it can be literally lethal, according to a new report by The Ponemon Group. "Medical identity theft is contributing significantly to the high costs of health care," says Robin Slade, development coordinator for the Medical Identity Fraud Alliance, which, along with ID Experts, commissioned the report. "With financial fraud, you recover most of the losses incurred. But medical identity theft has the potential to impede medical treatment and to potentially kill you. The fraud causes your medical records to be contaminated by the medical information of the perpetrator. And very few consumers are aware of it."

Some 15 percent of medical ID theft victims say the fraud resulted in a misdiagnosis; 13 percent, an inaccurate treatment; 14 percent, a delay in treatment; and 11 percent, the wrong prescription drugs. Half of those patients say those issues have not been resolved, according to the report.

Some 313,000 new cases of medical ID theft were reported last year, and those were only the ones on record: Security experts say many aren't reported. So-called "family fraud" factors into the equation here as well, says Larry Ponemon, chairman and founder of The Ponemon Institute.

Some 30 percent of the respondents say they have allowed a family member to use their personal IDs to receive medical treatment, health care products, or pharmaceuticals, and more than one-fifth of them don't know how many times they have done so. Nearly half of all medical ID fraud victims say they know who stole their identities but didn't want to report the perpetrators. And many don't realize it's illegal.

"It might be for a family member or friend suffering and who needs emergency care and is not insured, so they hand it over [their insurance card], and it's used to steal [services]," Ponemon says. "The family fraud issue is a very troubling finding."

The report underlines one of the big problems with medical ID theft: a lack of understanding of just what constitutes fraud, as well as the growing value of medical information. Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center, the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts last month co-founded the public-private Medical Identity Fraud Alliance to help fight medical identity theft. MIFA aims to unite key players and establish solutions and best practices, as well as educate consumers on how to empower themselves to protect their health information.

[Medical Identity Fraud Alliance debut a sign of the times as attackers set sights on valuable patient insurance and other health records. See New Consortium Formed To Cure Rise In Medical ID Fraud .]

Medical ID theft can take several forms: It can be the result of family fraud, a health care provider's online data breach, or physical theft of equipment storing the information, such as the break-in last month at an administrative office of the largest health system in Illinois, Advocate Medical Group, where thieves stole four unencrypted computers that contained Social Security numbers, health insurance, and other personal information of 4.03 million patients.

Most victims don't know how their medical information was exposed, Ponemon says. "A large segment of folks don' t know how it happened," he says.

Some 56 percent of the victims say they lost confidence in their health care provider in the wake of the fraud experience, and 57 percent say they would drop their providers if they were unable to protect their medical records. But most consumers don't do much to protect their medical information: Fifty-four percent say they don't check their health records because they don't know how to do so and are relying on their health care provider to take care of it, and 52 percent say they didn't report medical claims that appeared inaccurate.

Dan Nutkis, founder and CEO of the Health Information Trust Alliance (HITRUST), says health care organizations increasingly are being targeted by cybercriminals for both financial and medical information. "There's no question about it: There's been an uptick in healthcare [providers] being targeted," Nutkis says.

Attackers are placing and selling backdoors or other malware onto health care organizations' systems for other bad guys to steal information. "They have planted backdoors in health care organizations so they can sell access," Nutkis says.

Alex Balan, head of product management at BullGuard, which offers an online identity protection service for consumers, points to a data dump a few months ago that included victim names, dates of birth, addresses, height, weight, full credit card account information, insurance information, and even the type of cars they drove. "There were 20 to 30 columns for each individual [entry]," Balan says. It was enough information to begin to assume someone's identity.

Social engineering can provide a treasure trove of medical information for fraudsters, he says. "If you're trying to get services from a medical institution or a hospital, you need to know the entire scripts on what you're going to be asked, and what credentials [you will need, for example]," he says.

The full Ponemon 2013 Survey on Medical Identity Theft is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-24
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
PUBLISHED: 2019-06-24
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. ...
PUBLISHED: 2019-06-24
BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm.
PUBLISHED: 2019-06-24
Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload ca...
PUBLISHED: 2019-06-24
CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests.