Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/24/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Medical Identity Theft Costs Victims $13,450 Apiece

New study shows not only is medical identity fraud costly for individuals, it's happening a lot more often.

Having steadily grown over the past five years, medical identity theft increased by a whopping 21.7 percent in 2014, according to a new report conducted by the Ponemon Institute on behalf of the Medical Identity Fraud Alliance (MIFA).

Unlike the financial services industry, which has evolved to detect fraud and absorb the costs, the healthcare industry lags far behind, forcing individuals to feel the brunt of the costs. Sixty-five percent of the victim individuals had to pay to resolve the issue -- on average, $13,450 per person, including payments to healthcare providers, insurers, identity service providers, and legal counsel.

That number is particularly striking considering that most victims' household incomes were $50,000 or less. Not only did it hurt their wallet, 45 percent of victims said the incidents damaged their reputation -- 86 percent of those were embarrassed by the exposure of their personal medical conditions, 19 percent said it cost them career opportunities, and 3 percent said it actually caused them to lose their jobs.

Plus, most victims spent over 200 hours working to find a resolution, and only 10 percent were completely satisfied with the outcome. While strides have been made in the financial services industry to allay the costs of identity theft for individuals, the same certainly cannot be said for the healthcare industry.

The report, released yesterday, does not speculate upon whether or not large-scale data breaches like the one at Community Health Systems in August had an impact on identity theft frequency. (The survey was conducted in November.)

In a separate report released today by penetration testing company Redspin, "164 incidents of breaches of PHI were reported to the HHS Office of Civil Rights (OCR), impacting nearly 9 million patient records" and more than half of those breaches were the result of "hacking attacks."

However, medical identity fraud continues to be a crime often perpetrated -- sometimes enabled -- by people the victim knows personally. According to the MIFA/Ponemon report, One-quarter of "victims" confessed that they "knowingly permitted a family member or friend to use their personal identification to obtain medical services" and 24 percent say a member of the family took their credentials without their consent." Forty-seven percent of the people who did not report the theft, said they opted not to because they knew the thief.

On average, it took more than three months for the identity theft to be discovered, and very few of the victims learned of the identity theft from their healthcare provider or insurer. Twelve percent were told by the provider during an appointment, 9 percent received breach notifications, and 5 percent received an "alert." (More than one response was permitted.)

However, the lion's share of victims had to discover it for themselves -- one-third found errors on their invoices, 28 percent received collection letters, 24 percent found errors in their medical records, 24 percent saw errors in their insurers' explanations of benefits, and 14 percent saw erroneous information on their credit reports.

Healthcare providers should take note, because about half of respondents said they would change providers if they had their records stolen, and 80 percent wanted to be reimbursed for the money spent to mitigate the damage. 

Both of these reports were conducted before the recent Anthem Healthcare breach. The security industry is closely watching to see whether customers respond differently to the Anthem breach than they do to other companies' breaches, since Anthem went out of its way to publicly report the incident so quickly -- only eight days from the discovery of suspicious behavior.

"From here on, all PHI breach statistics are going have to be reported as 'pre- or post-Anthem,'" says Daniel W. Berger, President and CEO of Redspin. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Nemos
50%
50%
Nemos,
User Rank: Apprentice
2/24/2015 | 5:50:29 PM
An example
Could you please give an example as here in Europe we have a bit different health system and I dont understand why one should cheat about his/her identity ? Is this action has to do that there is not a public insurance therefore you have to pay for your medical expenses ?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/25/2015 | 10:52:21 AM
Re: An example
@Nemos   Yes, you've got it. Health insurance in the US is very expensive, but the costs of medical appointments and procedures is INCREDIBLY expensive.

(For example, when I was admitted to the hospital a few years ago, the hospital room cost $800 per night. That's not including the doctors, the medication, the tests, the procedures, etc. The MRI I had was about $13,000 insurance, if I remember correctly. Even with insurance, the trip cost me a couple thousand dollars. Even with insurance, an ambulance trip cost me $600.)

And that's why people often ALLOW their friends/family to borrow their insurance. And why it costs so much to remediate the damage.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 11:09:50 AM
Re: An example > borrow insurance?
@Sara, Call me naive but how is it possible to borrow insurance? Don't you need to provide information about your identity, beyond simply the insurance card/number? 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/26/2015 | 12:49:10 PM
Re: An example > borrow insurance?
@Marilyn  Not really, Marilyn. Generally, they'll ask for your insurance card, but not your ID. And most of the time you're getting billed, not paying up front (except maybe a co-pay that you can pay in cash), so they won't even see a credit card or a checkbook with the wrong person's name on it.

They'll ask for all kinds of medical history on your first appointment. But since most healthcare centers don't share that information, they won't necessarily know that the 37-year-old Sara Peters with epilepsy at hospital A is one person and the 22-year-old 'Sara Peters' with diabetes is a different person, much less a fraud. This is one of those reasons that health information exchange technology could be useful.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 2:19:11 PM
Re: An example > borrow insurance?
Now that you mention it, @sarapeters, i've never had to present my ID for a medical appointment. And speaking of health records, i got an email from a Veterinarian's office in Seattle recently about an outpatient discharge report for a "Bridget" Cohodas (no relation-- as far as  I know). So much for confidentiality of PII . But then, maybe pets aren't covered by HIPAA. :-)
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/27/2015 | 11:51:36 AM
Re: An example > borrow insurance?
@Marilyn  Wow! What did you do about it? And what sort of creature was Bridget?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/1/2015 | 3:00:38 AM
Re: An example > borrow insurance?
That's funny, Marilyn; it seems I *always* have to present my medical ID whenever I go in for a doctor's appointment.  I guess it depends where you go.
JPtaylorL
50%
50%
JPtaylorL,
User Rank: Apprentice
2/26/2015 | 12:48:07 PM
huh?
So if anyone went out at looked at the HHS Wall of Shame (which is where public breaches of PHI are disclosed), you'll see that there are 278 breaches in 2014.   31 were actually as a result (self reported) of hacking.  The vast majority of other issues tagged - were mistakes or problems resulting from poor execution of policies and procedures.  Hacking is a problem.  Advanced malware is a problem.  However, GETTING GOOD AT RISK ASSESSMENTS, RESPONDING TO RISK, and EXECUTING POLICIES AND PROCEDURES is STILL the most reliable method for avoiding getting owned. The spin is spin.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.