Cybercriminals are targeting a more robust avenue to gather personal data — your medical records.
The scope of information lifted in medical record breaches – along with the repercussions – outweigh the financial data stolen from retailers like Target and Home Depot.
With the Anthem breach, records containing names, email/street addresses, birthdays, member I.D./Social Security numbers and employment information of some 80 million people were exposed.
“Healthcare organizations typically have a lot more information on you than financial organizations, and they’ve got crap security,” says Neal O’Farrell, security and identity theft expert for CreditSesame.com.
In April 2014, healthcare providers were alerted by the FBI about their lax security systems, compared to other sectors, and warned of potential cyber-attacks.
“Thanks to this breach, your entire profile is out there for the taking,” says O’Farrell.
One of the bigger concerns with this health sector breach is the possibility that criminals have all the essential information they need to carry out medical ID theft and fraud. Medical ID theft occurs when thieves steal your personal information to acquire medical care or make fraudulent claims against your health policy.
An estimated 2.3 million adult-aged Americans fell victim to medical identity theft in 2014, according to a study sponsored by the Medical Identity Fraud Alliance (MIFA), and conducted by the Ponemon Institute.
Financial and Medical Consequences
“Medical identity theft is a booming business,” says Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance (MIFA). “The information is highly marketable and profitable and sells for significantly more than your financial credentials.”
O’Farrell estimates that some medical IDs can snatch up to $300 on the black market — fetching a much higher price than the already flooded credit card market.
While you can easily shut down a credit card, you cannot do the same for birthdates and Social Security numbers; that alone makes those nine digit numbers more valuable and in-demand.
What’s in jeopardy when your medical information is stolen?
Once a criminal has all your personal data, they could potentially:
- Open credit cards/bank accounts in your name
- File and steal tax refunds
- Secure a loan
- Apply for a job
- File bankruptcy under your name
Patterson says the most dangerous type of ID theft is medical. “Your medical identity can be used fraudulently to buy private health insurance in your name, bill healthcare providers for medical treatments, obtain prescription drugs and file for Medicare reimbursement.”
While credit monitoring can detect sham accounts, it won’t immediately spot a medical claim filed with your insurance provider or when someone tries to get a prescription in your name. Thousands of fake medical claims can be issued and paid before it’s noticed.
Patterson says that in addition to the financial headache and clean-up medical ID theft can cause, another issue is the corruption and co-mingling of your medical records with the id thieves’ health information.
Mixed health information can put your health and well-being in jeopardy via misdiagnosis, mistreatment or delay of illness because of inaccuracies in health records and wrong pharmaceuticals prescribed.
Uncovering and Resolving Medical ID Theft
The World Privacy Forum (WPF) provides some active measures to quickly detect medical ID theft.
- Monitor “Explanation of Benefits:” Closely screening your insurance statements will help you detect fraudulent services, office visits, prescriptions, or medical equipment you did not receive.
- List of Benefits: Request a yearly list of benefits from your insurer. Fraudsters will often change a phone number or address, so you may not see all medical statements. Under the Health Insurance Portability and Accountability Act (HIPAA), you have a right to a copy of your records from every health insurer and nearly every health care provider.
- Obtain Current Medical Files: Victim or not, some people may want to inspect and make copies of their health records. A good tip from WPF is to simply make the request each time you go to the doctor.
- Correcting Inaccuracies: Cleaning up the information on your health records is a challenging process. The doctor, hospital, clinic and the insurer will all need to verify and correct the information with each other. Under HIPAA privacy laws, that can be a difficult task. You will want to be diligent and insist that each record keeper will notify, confirm and correct the false information in your records.
“You have to be vigilant to the point of paranoid,” says O’Farrell. “Be guarded of emails, letters or unusual inquiries and junk mail concerning this breach over the next year or two. You’ve got to monitor your credit like a hawk.”
Anthem is providing 24 months of free identity protection services to those directly affected.
O’Farrell says because there is no universal lock on the Social Security number, you don’t know what the criminals are going to do with it until after it’s done.
That’s why your child is especially appealing to ID criminals. Social Security numbers for young children have yet to be filed with credit agencies, so fraudsters are able to use children’s numbers for years unnoticed.
“This is a breach where entire generations could be affected,” states O’Farrell.
While Annualcreditreport.com provides one free credit report from each of the three credit bureaus every 12 months to legal adults — the same mandate does not apply to a child’s credit report.
As O’Farrell points out, “you can’t simply demand to monitor for the abuse of a child’s credit or Social Security number.”
To request a minor’s report, you must show proof of legal guardianship via direct contact with each credit agency. The Identity Theft Resource Center provides a form that parents or guardians can use to request information on your child.
Anthem is offering breach victims and their children under the age of 18 additional protection called, AllClear ID ChildScan, that will actively scan databases to find out if thieves are using the child’s Social Security number.
It’s also recommended to freeze your credit and your child’s credit, if you can. There are only 16 states that allow a parent or guardians to freeze a minor’s credit.
O’Farrell says monitoring you and your child’s credit reports from here on out is going to be necessary, but it won’t protect anyone from becoming a victim.
“A third of U.S. adults will be looking over their shoulders the rest of their life. We are woefully outgunned by the hackers.”
National Consumer Protection Week (NCPW), from March 1st to the 7th, is a great opportunity to review resources to guard against identity theft. This coordinated campaign encourages consumers to take full advantage of their rights to make better-informed decision.