Medical Identity Theft: A Deadly Side Effect of Healthcare Data Breaches
eBook on November 16, 2016
- Cyber Security
- Data Privacy
- Identity Theft and Fraud
Patients are a vulnerable population. Their health, even their lives, rest in the hands of healthcare providers. Equally vulnerable are patient’s health records. In today’s connected world, this data is strewn across the digital universe. From electronic health records (EHRs) to physician’s iPads to wearable health devices, a patient’s confidential medical information is available to more people in more places than ever before. Sensitive medical diagnoses, health insurance numbers, and other information are there for the viewing — and the stealing.
In this eBook you’ll learn:
Your patients deserve the best care. They also deserve the best protection against medical identity theft that you can provide. We hope this information helps.
Data breaches first appeared just 10 years ago when certain states enacted legislation that required the public disclosure of data breaches impacting consumers. Now they’re part of the consumer vocabulary. That’s no surprise, given that breaches affect the financial and physical health of consumers. Identity theft is the fastest growing crime in the U.S., according to the FBI; an identity is stolen every 3 seconds, a recent Javelin Study found.
By Rick Kam and Christine Arevalo, February 8, 2012, Government Health IT Healthcare fraud is costing American taxpayers up to $234 billion annually, based on estimates from the FBI. It’s no wonder that a stolen medical identity has a $50 street value, according to the World Privacy Forum– whereas a stolen social security number, on the other hand, only sells for $1. One form of healthcare fraud, known as medical identity theft, has its own staggering statistics: 1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. The report estimates the annual economic impact of medical identity theft to be $30.9 billion.
The name Moda Health, Inc. doesn’t appear on the Office for Civil Rights’ “wall of shame,” where HIPAA covered entities that have suffered a breach affecting 500 or more people are listed. Nevertheless, Moda, a health plan and benefits manager in the Pacific Northwest with some 2 million customers, was the first in the nation to include among its standard benefits a new kind of protection against misuse of protected health information that may lead to medical identity theft. In December, Moda began offering a product known as MIDAS, short for “medical identity alert system,” developed and sold by ID Experts, a 12-year-old breach prevention, assessment and mitigation firm based in Portland, Ore. “Just as good health involves preventive care, we think protecting your medical identity involves preventive tools to help you monitor that identity,” Moda spokeswoman Katie Paullin tells RPP. On a Web page touting MIDAS, Moda calls medical identity theft “more than just an invasion of your privacy — it’s a threat to your health and well-being. With enough information, an identity thief can use your medical benefits to submit false claims, rack up bills with fraudulent charges, fill prescriptions in your name, or add a new allergy or medication to your medical records.” ID Experts is perhaps best known for RADAR, its patented product that helps covered entities (CEs) conduct a HIPAA security risk analysis (RPP 5/13, p. 11). And while MIDAS has been available only since November, Rick Kam, ID Experts’ president and co-founder, tells RPP the market for MIDAS is just as big. MIDAS can be used as an add-on to credit monitoring and breach mitigation that CEs would provide in the event of a breach. Or, as in Moda’s case, MIDAS can be bundled with a typical benefits package and used as a bulwark against rising incidents of medical identity theft. Such “incidents” rose nearly 22% from 2013 to 2014, according to a recent study by the Ponemon Institute, its fifth annual on the topic. Credit Monitoring Falls Short Credit monitoring alone “doesn’t do anything if your health insurance number is being misused,” Kam says. The danger in medical identity theft is not only that the cost for fraudulent services will be incurred, but also that wrong and potentially damaging or dangerous medical information could become part of the patient’s medical records, he points out. CEs are suffering breaches every day, it would seem. The most recent to make the news was the monumental breach of possibly some 80 million records held by Anthem, Inc., which was announced Feb. 4 (see story, p. 1). Anthem initially drew the wrath of Connecticut Attorney General George Jepsen, who wrote a letter to Anthem on Feb. 10, signed by nine additional state AGs, demanding that Anthem speed up the process of informing affected individuals of the details of the breach and ways they could protect themselves, including by offering credit monitoring services. They did not suggest medical ID theft protection, which many are not aware exists. ID Experts hopes to change that. ID Experts CEO Bob Gregg penned an “open letter” back to Jepsen on the same day, stating that Jepsen’s emphasis on credit monitoring “misleads consumers.” “The greatest and longest lasting potential harms that are likely to affect the individuals impacted by the Anthem breach will be medical identity theft,” Gregg wrote. “As a result, it can have a devastating impact on individuals, be difficult to detect, and be very costly to repair.” Gregg urged Jepsen to “consider that some type of medical identity monitoring, to complement the credit monitoring, should be an essential requirement” for Anthem to provide affected individuals. Robert Blanchard, Jepsen’s spokesman, said the AG had no comment on Gregg’s letter. Secure Claims Are Sent ID Experts describe MIDAS as “an innovative health care fraud solution…developed to lower healthcare costs 2 Report on Patient Privacy March 2015 Copyright © 2015 by Atlantic Information Services, Inc. Reprinted with permission from Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com and protect consumers’ medical identities through early detection and prevention of healthcare fraud.” Kam says ID Experts had been “looking for something to prevent medical identity theft.” It felt a product was needed that would function like credit monitoring and restoration services do for financial costs, but would be able to catch incidents that don’t necessarily or immediately have financial implications. For example, a person could appropriate someone’s identity and obtain services under his or her insurance card, with no charges ever appearing on the patient’s credit card. But seeing no such product, the firm decided to create one of its own. Payers support MIDAS “on behalf of their members,” Kam explains. “We price the program based on the number of potential members using the tool,” at a cost of “pennies per person per month.” Contracts for MIDAS are typically for three years, he adds. The way MIDAS works is by tapping into a claims database — either the payer’s directly, or one ID Experts creates to house a MIDAS customer’s claim once it is sent to ID Experts. “We have a secure daily feed from the payer [of claims] with a limited number of data elements,” Kam explains. Once a claim is identified, ID Experts sends the patient an email or a text — depending on the option they’ve selected — alerting them to log into a secure website to review the claim. The text and email are not sent in an encrypted fashion. This part is similar to how credit monitoring works. For example, as needed, firms such as Experian send customers with credit monitoring an email stating, “Information in your credit report has changed,” and telling them to log in to view the “alert.” If the alert refers to something that is a problem, the person has to contact Experian to resolve it. With MIDAS, the member registers and sets the frequency of alerts; access to records for family members can also be granted, although those over 18 have to give authorization. It “works on just about any device with a web browser…[and] will adapt its screen size to fit all smartphones, tablets, laptops, and computer monitors,” according to information on the MIDAS website. Once alerted to a claim, the person logs in and views the provider name, date of service and type, such as a routine check-up. The person indicates a choice to mark it as “valid,” “suspicious,” or “needs research.” He or she can also note physicians commonly seen so alerts for them won’t be sent. In this way the system begins to “learn” the member’s pattern of health care service, the same way a credit card company compiles data that warn of aberrant purchases. Any claim flagged as suspicious “is then encrypted and sent to MIDAS’s team of fraud experts for investigation.” (For more information, see https://www2.idexpertscorp.com/midas-software.) Still ‘Pay and Chase’ ID Experts never sends PHI or other information, such as a Social Security number, in the alerts to patients or health plan members, so it does not run afoul of HIPAA or other laws, Kam stresses. For now, ID Experts typically doesn’t hold up payment of a claim while it’s waiting for the individual to verify it, although Christine Arevalo, ID Experts’ vice president for health care fraud solutions, says the firm “can modify our approach based on each health plan’s preference or business rules.” But, she adds, “Obviously, I envision a future where these transactions are approved or denied in real time.” The system would work best, Arevalo says, “the sooner the better” the individual can enter “the data stream in order to spot suspicious activity quickly.” However, “the limitations of the current ecosystem make that a dream for right now,” Arevalo tells RPP, especially because payers must meet requirements to process claims within a certain period of time. MIDAS “is not…standing in the way of claims being paid. We, like the rest of the industry, are typically forced to use a ‘pay and chase’ model whereby we follow the fraud after it’s occurred, and the claim has been submitted for payment,” she says. There Is Praise for the Concept Despite the fact that credit monitoring has now become de riqueur following a breach of PHI, CEs aren’t even required under federal rule to offer such services. Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP in San Francisco, points out that only the state of California comes close (but not very) to having something of a mandate to this effect, following an 2014 amendment to its breach notification law. The amendment, which went into effect Jan. 1, states that, “If the person or business providing the notification was the source of the breach, an offer to provide appropriate breach prevention and mitigation strategies, if any, be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information” as defined by California law. Hirsch notes that this is not a mandate because of the qualifier “if any,” regarding the provision of breach-related services. And it doesn’t mention protection from the March 2015 Report on Patient Privacy 3 Copyright © 2015 by Atlantic Information Services, Inc. Reprinted with permission from Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com risks of medical identity theft, which Hirsch says there is “definitely a need for.” “I think something like [MIDAS] would be very valuable,” Hirsch adds. John Halamka, chief information security officer for Beth Israel Deaconess Medical Center, agrees. “That sounds like a very interesting service,” he tells RPP. Halamka sees an additional benefit, that of patient engagement. He isn’t sure how much true medical identity theft is happening; he’s aware of only one case at BIDMC, which involved a patient coming to his emergency room without insurance and with false identification. “There are two separate issues,” Halamka says, but they can overlap. “If I am a Medicare mill in Florida, I can gin up phony medical records” and make claims to Medicare, he says. That’s Medicare fraud. But if the identities of real people are used and the payments or services go into their records, that’s medical identity theft, too. BIDMC has had a secure patient portal since 1999, which some 250,000 patients use, he says. Massachusetts has an all-payer claims database, which mails explanation of benefits documents to patients. Something like MIDAS “would be a great service to a payer,” he says, and can serve as a “check and balance” for both the payer and the patient. He says the best way to engage patients is to “push” the information out to the patient the way MIDAS does when a claim comes in. “I am a big fan of engaging the patient and the family,” Halamka says, noting that this is also a requirement under meaningful use programs that provide payment for adoption of electronic medical records. Engagement is an area where groups are having the most trouble, he says. Contact Katie Paullin at katie.paullin@modahealth. com, Kam at email@example.com, Arevalo at firstname.lastname@example.org, Hirsch at rhirsch@ morganlewis.com and Halamka at jhalamka@bidmc. harvard.edu.