Having steadily grown over the past five years, medical identity theft increased by a whopping 21.7 percent in 2014, according to a new report conducted by the Ponemon Institute on behalf of the Medical Identity Fraud Alliance (MIFA).
Unlike the financial services industry, which has evolved to detect fraud and absorb the costs, the healthcare industry lags far behind, forcing individuals to feel the brunt of the costs. Sixty-five percent of the victim individuals had to pay to resolve the issue -- on average, $13,450 per person, including payments to healthcare providers, insurers, identity service providers, and legal counsel.
That number is particularly striking considering that most victims' household incomes were $50,000 or less. Not only did it hurt their wallet, 45 percent of victims said the incidents damaged their reputation -- 86 percent of those were embarrassed by the exposure of their personal medical conditions, 19 percent said it cost them career opportunities, and 3 percent said it actually caused them to lose their jobs.
Plus, most victims spent over 200 hours working to find a resolution, and only 10 percent were completely satisfied with the outcome. While strides have been made in the financial services industry to allay the costs of identity theft for individuals, the same certainly cannot be said for the healthcare industry.
The report, released yesterday, does not speculate upon whether or not large-scale data breaches like the one at Community Health Systems in August had an impact on identity theft frequency. (The survey was conducted in November.)
In a separate report released today by penetration testing company Redspin, "164 incidents of breaches of PHI were reported to the HHS Office of Civil Rights (OCR), impacting nearly 9 million patient records" and more than half of those breaches were the result of "hacking attacks."
However, medical identity fraud continues to be a crime often perpetrated -- sometimes enabled -- by people the victim knows personally. According to the MIFA/Ponemon report, One-quarter of "victims" confessed that they "knowingly permitted a family member or friend to use their personal identification to obtain medical services" and 24 percent say a member of the family took their credentials without their consent." Forty-seven percent of the people who did not report the theft, said they opted not to because they knew the thief.
On average, it took more than three months for the identity theft to be discovered, and very few of the victims learned of the identity theft from their healthcare provider or insurer. Twelve percent were told by the provider during an appointment, 9 percent received breach notifications, and 5 percent received an "alert." (More than one response was permitted.)
However, the lion's share of victims had to discover it for themselves -- one-third found errors on their invoices, 28 percent received collection letters, 24 percent found errors in their medical records, 24 percent saw errors in their insurers' explanations of benefits, and 14 percent saw erroneous information on their credit reports.
Healthcare providers should take note, because about half of respondents said they would change providers if they had their records stolen, and 80 percent wanted to be reimbursed for the money spent to mitigate the damage.
Both of these reports were conducted before the recent Anthem Healthcare breach. The security industry is closely watching to see whether customers respond differently to the Anthem breach than they do to other companies' breaches, since Anthem went out of its way to publicly report the incident so quickly -- only eight days from the discovery of suspicious behavior.
"From here on, all PHI breach statistics are going have to be reported as 'pre- or post-Anthem,'" says Daniel W. Berger, President and CEO of Redspin. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars."