Why you should worry about medical ID theft

In this interview with Help Net Security, Paige Hanson, Chief of Cyber Safety Education at NortonLifeLock, talks about the risks posed by medical ID theft, the repercussions of such criminal activity, and what people as well as organizations can do to protect valuable medical information.

With the pandemic still showing no signs of stopping, healthcare organizations are continuing to be an interesting target for cybercriminals. How is this affecting patients?

Medical identity theft can be costly. When medical identity theft targets insurance providers or government programs, the resulting costs may be borne by the larger population—through higher insurance costs or increased taxes.

Even more worrisome than the possible financial cost of medical identity theft is the potential risk it poses of mingling an identity thief’s health information with your own. That could ultimately put your care in jeopardy the next time you receive medical treatment. For instance, you might receive medicine to which you’re allergic.

What are the techniques cybercriminals are using to steal medical IDs?

A cybercriminal needs your personal information to commit medical identity theft against you. This information might include your Social Security number, name, date of birth, and other pieces of personally identifiable information (PII). The thief may also use your PHI, or personal health information, including your healthcare data and medical and prescription history.

Something as simple as a lost wallet—with your Social Security card inside—could lead to medical identity theft. The criminal uses that card and other information in your wallet to obtain medical care at a doctor’s office or emergency room. Thieves can also obtain the information as a result of data breaches affecting health insurance companies and other entities. Often, breached data ends up for sale on the dark web. It’s important to never give your personal information over phone or email, unless you initiated the communication, as this is also a common technique to steal medical information.

How do cybercriminals profit from medical ID theft?

Cybercriminals can use your personal information to obtain medical services, treatment or drugs. They can also fraudulently bill insurance providers or government programs for medical goods and services without your authorization.

Both patients and providers may commit fraudulent medical claims, depending on circumstances. Consumers steal insurance information to cover benefits their insurance may not include, or because they have no insurance at all. Providers also may file fraudulent claims on an individual’s insurance to obtain reimbursement for procedures they never performed to offset the cost of treating uninsured or under-insured clients.

What should healthcare organizations do to tackle medical ID theft?

Healthcare organizations are responsible for appropriately handling their patients’ medical information. Here are some steps that organizations can follow to support patients that are victims of medical identity theft and to prevent data breaches:

• Conduct an investigation: If your organization gets a call from a patient who claims she was billed for services she didn’t receive, review your records relating to the services performed and any supporting documentation. If you determine there was identity theft, notify everyone who accessed the patient’s medical records and ask them to correct the records.
• Provide data breach notifications: If you determine that your organization improperly used or share protected health information, you should share with patients whether a breach has occurred.
• Review your data security practices: Even if the information used to commit the fraud didn’t come from your organization, it’s good to periodically review your data security practices.

Is there anything people can do to protect themselves from medical ID theft?

Thankfully, there are steps you can take to help protect yourself against medical identity theft.

• Get a copy of your medical records: Under federal law, you have the right to know what’s in your medical records, except in certain circumstances. Ask your doctors for a copy of your medical files, so you have all your documentation in case you need to report identity theft.
• Check your explanation of benefits and credit report: You’ll get explanation-of-benefits documents every time you visit a doctor and pay using insurance. EOB documents show the services you received and what the insurer covered. When you get one of these summaries, check it against your own records. If the date of service, name of provider and service provided don’t match the care you received, this may be a problem. Another red flag? Opening an EOB for a service you never received.
• Protect your medical information: Don’t share medical or insurance information on the phone or by email, unless you’ve initiated the communication and you know who you’re dealing with. In addition, make sure the website your doctor’s office is secure (check for the “https” in the URL) and if you stop seeing a provider, you can request that your personal information be deleted from their systems.