Medical and healthcare-related security and privacy concerns have been front page news in 2013, especially with recent launches of federal and state medical healthcare exchanges and changes stemming from the “HIPAA Omnibus Final Rule” enacted early this year that went into effect as of September 23rd. In a timely and notable report, the Ponemon Institute released a study sponsored by the Medical Identity Fraud Alliance, called the 2013 Survey on Medical Identity Theft (the “Survey”). The Survey attempts to measure “the prevalence of medical identity theft in the United States and its impact on consumers” by, in part, analyzing the what 788 adult-aged individuals who self-reported that they or family members had been medical ID theft victims experienced. What did Ponemon uncover?
As a starting point the Survey defined “medical identity theft” as the use of “an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.” In connection Ponemon identified six themes generated by its Survey research. Namely, that:
- Medical identity theft continues to be a costly crime.
- The dangers and consequences of medical identity theft are not fully understood by consumers surveyed.
- Steps to protect against medical identity theft and resolve the crime are often ignored.
- The risk of medical identity theft can be reduced.
- Certain individuals are more likely to knowingly share their medical credentials.
- Certain individuals are more likely to suffer negative medical and financial consequence
And “costly” is something of an understatement, as the Survey found that for the 36% of respondents who reported they had to expend funds to resolve their medical ID theft situation the average out-of-pocket cost was $18,660 – with the bulk of that spent on “identity protection, legal counsel and credit reporting for an average of $8,369, followed by $5,899 on medical services because of a lapse in health insurance and $4,392 to healthcare providers for health services provided to imposters in their name.”
In addition the Survey revealed other key findings, including that:
- The number of medical identity theft victims has increased significantly – By 19% in the one year base rate, from 1.5MM med ID theft victims in 2012 to 1.8MM in 2013.
- Medical identity theft can put victims’ lives at risk – As reported 50% of individuals in the Survey were not aware that resulting permanent inaccuracies in their medical history records could lead to misdiagnosis, errors in prescriptions and other delays in treatment with potentially life threatening consequences.
- Most medical identity theft victims lose trust and confidence in their healthcare provider following the loss of their medical credential – 56% of victims reported they lost trust and confidence in their healthcare providers in connection with the incident(s).
- Individuals lack awareness of the seriousness of the crime and rarely take steps to check their medical records – As the majority of individuals indicated they had not yet, at the time of the survey, felt any negative consequences of their medical ID theft a full 50% of participants had taken no steps to protect themselves from future medical ID thefts. Paradoxically, however, only 11% indicated their identify theft incident was “completely resolved” and further that “78% of respondents say that it is very important or important to control their health records directly but they are not taking steps to do so.” Clearly broader educational and awareness efforts are required.
- Resolution of the crime is time-consuming – Perhaps connected to the number of individuals who take no steps at all in resolving their incident or preventing future thefts is the fact that dealing with the aftermath of medical ID thefts can be protracted and time consuming, with 36% of respondents stating their resolution activities “consumed almost a year of more” and that nearly half, at 48%, noted at the time of the survey that their incident was “still not resolved.”
- Reviews of Explanation of Benefits can protect individuals – In this year’s Survey, Ponemon asked individuals if they read the various “EOB” form/documents received after healthcare service paid for by insurance companies, which often help red flag incidents of medical identity theft by spotlighting the types of procedures/exams billed. Unfortunately, the majority of individuals “do not review these documents,” although 46% stated they do in fact read EOBs “all or some of the time.”
- Sharing of personal identification to obtain medical services is prevalent – Amazingly, 30% of respondents knowingly permitted a family member to use their personal identification, one or more times, to obtain treatment, healthcare products or pharmaceuticals. Fifty-three percent of this group stated they did this only once. But 21% could not or were unsure of the number of times they shared their identification in this fashion.
- Many cases of medical identity theft are preventable – If any single key finding stopped me in my tracks it’s that the “majority of respondents say the crime happened because they knowingly shared their personal identification or medical credentials with someone they knew (30%) or a member of the family took their personal identification or medical credentials without consent (28%).” As a result Ponemon concludes that, in such cases, “not sharing credentials or being more protective of their credentials could have prevented the crime” given that “very few respondents say that a data breach, malicious insider, identity thief or loss of their credentials resulted in the crime” – typically the cause of more conventional “data breaches” and similar incidents. Again, this starkly highlights that – when it comes to medical identify information – increased awareness, education and basic protective steps are in order and could stem a significant portion of medically-related identity theft.
In conclusion, the Survey summarizes that medical identity theft is both expensive and on the rise, with an estimated total of out-of-pocket cost to victims of approximately $12.3 billion! However, the good news is that many cases of such ID theft are readily preventable, as such fraud rarely appears to occur from traditional infosec vectors, such as data breaches, malicious insiders, or loss of ID credentials.
Medical identity theft is, in short, a “family affair” and the solutions revolve around: (1) individuals’ increased awareness of negative consequences due to sharing medical ID credentials; and (2) improving authentication procedures by healthcare providers, organizations and others to verify that the correct individuals are obtaining specific medical services and products.