Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/24/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Medical Identity Theft Costs Victims $13,450 Apiece

New study shows not only is medical identity fraud costly for individuals, it's happening a lot more often.

Having steadily grown over the past five years, medical identity theft increased by a whopping 21.7 percent in 2014, according to a new report conducted by the Ponemon Institute on behalf of the Medical Identity Fraud Alliance (MIFA).

Unlike the financial services industry, which has evolved to detect fraud and absorb the costs, the healthcare industry lags far behind, forcing individuals to feel the brunt of the costs. Sixty-five percent of the victim individuals had to pay to resolve the issue -- on average, $13,450 per person, including payments to healthcare providers, insurers, identity service providers, and legal counsel.

That number is particularly striking considering that most victims' household incomes were $50,000 or less. Not only did it hurt their wallet, 45 percent of victims said the incidents damaged their reputation -- 86 percent of those were embarrassed by the exposure of their personal medical conditions, 19 percent said it cost them career opportunities, and 3 percent said it actually caused them to lose their jobs.

Plus, most victims spent over 200 hours working to find a resolution, and only 10 percent were completely satisfied with the outcome. While strides have been made in the financial services industry to allay the costs of identity theft for individuals, the same certainly cannot be said for the healthcare industry.

The report, released yesterday, does not speculate upon whether or not large-scale data breaches like the one at Community Health Systems in August had an impact on identity theft frequency. (The survey was conducted in November.)

In a separate report released today by penetration testing company Redspin, "164 incidents of breaches of PHI were reported to the HHS Office of Civil Rights (OCR), impacting nearly 9 million patient records" and more than half of those breaches were the result of "hacking attacks."

However, medical identity fraud continues to be a crime often perpetrated -- sometimes enabled -- by people the victim knows personally. According to the MIFA/Ponemon report, One-quarter of "victims" confessed that they "knowingly permitted a family member or friend to use their personal identification to obtain medical services" and 24 percent say a member of the family took their credentials without their consent." Forty-seven percent of the people who did not report the theft, said they opted not to because they knew the thief.

On average, it took more than three months for the identity theft to be discovered, and very few of the victims learned of the identity theft from their healthcare provider or insurer. Twelve percent were told by the provider during an appointment, 9 percent received breach notifications, and 5 percent received an "alert." (More than one response was permitted.)

However, the lion's share of victims had to discover it for themselves -- one-third found errors on their invoices, 28 percent received collection letters, 24 percent found errors in their medical records, 24 percent saw errors in their insurers' explanations of benefits, and 14 percent saw erroneous information on their credit reports.

Healthcare providers should take note, because about half of respondents said they would change providers if they had their records stolen, and 80 percent wanted to be reimbursed for the money spent to mitigate the damage. 

Both of these reports were conducted before the recent Anthem Healthcare breach. The security industry is closely watching to see whether customers respond differently to the Anthem breach than they do to other companies' breaches, since Anthem went out of its way to publicly report the incident so quickly -- only eight days from the discovery of suspicious behavior.

"From here on, all PHI breach statistics are going have to be reported as 'pre- or post-Anthem,'" says Daniel W. Berger, President and CEO of Redspin. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/1/2015 | 3:00:38 AM
Re: An example > borrow insurance?
That's funny, Marilyn; it seems I *always* have to present my medical ID whenever I go in for a doctor's appointment.  I guess it depends where you go.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/27/2015 | 11:51:36 AM
Re: An example > borrow insurance?
@Marilyn  Wow! What did you do about it? And what sort of creature was Bridget?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 2:19:11 PM
Re: An example > borrow insurance?
Now that you mention it, @sarapeters, i've never had to present my ID for a medical appointment. And speaking of health records, i got an email from a Veterinarian's office in Seattle recently about an outpatient discharge report for a "Bridget" Cohodas (no relation-- as far as  I know). So much for confidentiality of PII . But then, maybe pets aren't covered by HIPAA. :-)
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/26/2015 | 12:49:10 PM
Re: An example > borrow insurance?
@Marilyn  Not really, Marilyn. Generally, they'll ask for your insurance card, but not your ID. And most of the time you're getting billed, not paying up front (except maybe a co-pay that you can pay in cash), so they won't even see a credit card or a checkbook with the wrong person's name on it.

They'll ask for all kinds of medical history on your first appointment. But since most healthcare centers don't share that information, they won't necessarily know that the 37-year-old Sara Peters with epilepsy at hospital A is one person and the 22-year-old 'Sara Peters' with diabetes is a different person, much less a fraud. This is one of those reasons that health information exchange technology could be useful.
JPtaylorL
50%
50%
JPtaylorL,
User Rank: Apprentice
2/26/2015 | 12:48:07 PM
huh?
So if anyone went out at looked at the HHS Wall of Shame (which is where public breaches of PHI are disclosed), you'll see that there are 278 breaches in 2014.   31 were actually as a result (self reported) of hacking.  The vast majority of other issues tagged - were mistakes or problems resulting from poor execution of policies and procedures.  Hacking is a problem.  Advanced malware is a problem.  However, GETTING GOOD AT RISK ASSESSMENTS, RESPONDING TO RISK, and EXECUTING POLICIES AND PROCEDURES is STILL the most reliable method for avoiding getting owned. The spin is spin.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 11:09:50 AM
Re: An example > borrow insurance?
@Sara, Call me naive but how is it possible to borrow insurance? Don't you need to provide information about your identity, beyond simply the insurance card/number? 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/25/2015 | 10:52:21 AM
Re: An example
@Nemos   Yes, you've got it. Health insurance in the US is very expensive, but the costs of medical appointments and procedures is INCREDIBLY expensive.

(For example, when I was admitted to the hospital a few years ago, the hospital room cost $800 per night. That's not including the doctors, the medication, the tests, the procedures, etc. The MRI I had was about $13,000 insurance, if I remember correctly. Even with insurance, the trip cost me a couple thousand dollars. Even with insurance, an ambulance trip cost me $600.)

And that's why people often ALLOW their friends/family to borrow their insurance. And why it costs so much to remediate the damage.

 
Nemos
50%
50%
Nemos,
User Rank: Apprentice
2/24/2015 | 5:50:29 PM
An example
Could you please give an example as here in Europe we have a bit different health system and I dont understand why one should cheat about his/her identity ? Is this action has to do that there is not a public insurance therefore you have to pay for your medical expenses ?
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.