ID Experts Home
0

Article

As Incidence of Medical Identity Theft Rises, CEs…

The name Moda Health, Inc. doesn’t appear on the Office for Civil Rights’ “wall of shame,” where HIPAA covered entities that have suffered a breach affecting 500 or more people are listed. Nevertheless, Moda, a health plan and benefits manager in the Pacific Northwest with some 2 million customers, was the first in the nation to include among its standard benefits a new kind of protection against misuse of protected health information that may lead to medical identity theft. In December, Moda began offering a product known as MIDAS, short for “medical identity alert system,” developed and sold by ID Experts, a 12-year-old breach prevention, assessment and mitigation firm based in Portland, Ore. “Just as good health involves preventive care, we think protecting your medical identity involves pre­ventive tools to help you monitor that identity,” Moda spokeswoman Katie Paullin tells RPP. On a Web page touting MIDAS, Moda calls medi­cal identity theft “more than just an invasion of your privacy — it’s a threat to your health and well-being. With enough information, an identity thief can use your medical benefits to submit false claims, rack up bills with fraudulent charges, fill prescriptions in your name, or add a new allergy or medication to your medical re­cords.” ID Experts is perhaps best known for RADAR, its patented product that helps covered entities (CEs) con­duct a HIPAA security risk analysis (RPP 5/13, p. 11). And while MIDAS has been available only since Novem­ber, Rick Kam, ID Experts’ president and co-founder, tells RPP the market for MIDAS is just as big. MIDAS can be used as an add-on to credit monitor­ing and breach mitigation that CEs would provide in the event of a breach. Or, as in Moda’s case, MIDAS can be bundled with a typical benefits package and used as a bulwark against rising incidents of medical identity theft. Such “incidents” rose nearly 22% from 2013 to 2014, according to a recent study by the Ponemon Institute, its fifth annual on the topic. Credit Monitoring Falls Short Credit monitoring alone “doesn’t do anything if your health insurance number is being misused,” Kam says. The danger in medical identity theft is not only that the cost for fraudulent services will be incurred, but also that wrong and potentially damaging or dangerous medical information could become part of the patient’s medical records, he points out. CEs are suffering breaches every day, it would seem. The most recent to make the news was the monumental breach of possibly some 80 million records held by An­them, Inc., which was announced Feb. 4 (see story, p. 1). Anthem initially drew the wrath of Connecticut Attorney General George Jepsen, who wrote a letter to Anthem on Feb. 10, signed by nine additional state AGs, demanding that Anthem speed up the process of inform­ing affected individuals of the details of the breach and ways they could protect themselves, including by of­fering credit monitoring services. They did not suggest medical ID theft protection, which many are not aware exists. ID Experts hopes to change that. ID Experts CEO Bob Gregg penned an “open let­ter” back to Jepsen on the same day, stating that Jepsen’s emphasis on credit monitoring “misleads consumers.” “The greatest and longest lasting potential harms that are likely to affect the individuals impacted by the Anthem breach will be medical identity theft,” Gregg wrote. “As a result, it can have a devastating impact on individuals, be difficult to detect, and be very costly to repair.” Gregg urged Jepsen to “consider that some type of medical identity monitoring, to complement the credit monitoring, should be an essential requirement” for Anthem to provide affected individuals. Robert Blanchard, Jepsen’s spokesman, said the AG had no comment on Gregg’s letter. Secure Claims Are Sent ID Experts describe MIDAS as “an innovative health care fraud solution…developed to lower healthcare costs 2 Report on Patient Privacy March 2015 Copyright © 2015 by Atlantic Information Services, Inc. Reprinted with permission from Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com   and protect consumers’ medical identities through early detection and prevention of healthcare fraud.” Kam says ID Experts had been “looking for some­thing to prevent medical identity theft.” It felt a product was needed that would function like credit monitoring and restoration services do for financial costs, but would be able to catch incidents that don’t necessarily or imme­diately have financial implications. For example, a person could appropriate someone’s identity and obtain services under his or her insurance card, with no charges ever appearing on the patient’s credit card. But seeing no such product, the firm decided to cre­ate one of its own. Payers support MIDAS “on behalf of their members,” Kam explains. “We price the program based on the number of potential members using the tool,” at a cost of “pennies per person per month.” Con­tracts for MIDAS are typically for three years, he adds. The way MIDAS works is by tapping into a claims database — either the payer’s directly, or one ID Experts creates to house a MIDAS customer’s claim once it is sent to ID Experts. “We have a secure daily feed from the payer [of claims] with a limited number of data ele­ments,” Kam explains. Once a claim is identified, ID Experts sends the patient an email or a text — depending on the option they’ve selected — alerting them to log into a secure website to review the claim. The text and email are not sent in an encrypted fashion. This part is similar to how credit monitoring works. For example, as needed, firms such as Experian send customers with credit monitoring an email stating, “Information in your credit report has changed,” and telling them to log in to view the “alert.” If the alert refers to something that is a problem, the person has to contact Experian to resolve it. With MIDAS, the member registers and sets the frequency of alerts; access to records for family members can also be granted, although those over 18 have to give authorization. It “works on just about any device with a web browser…[and] will adapt its screen size to fit all smartphones, tablets, laptops, and computer monitors,” according to information on the MIDAS website. Once alerted to a claim, the person logs in and views the provider name, date of service and type, such as a routine check-up. The person indicates a choice to mark it as “valid,” “suspicious,” or “needs research.” He or she can also note physicians commonly seen so alerts for them won’t be sent. In this way the system begins to “learn” the member’s pattern of health care service, the same way a credit card company compiles data that warn of aberrant purchases. Any claim flagged as suspicious “is then encrypted and sent to MIDAS’s team of fraud experts for investiga­tion.” (For more information, see https://www2.idex­pertscorp.com/midas-software.) Still ‘Pay and Chase’ ID Experts never sends PHI or other information, such as a Social Security number, in the alerts to patients or health plan members, so it does not run afoul of HIPAA or other laws, Kam stresses. For now, ID Experts typically doesn’t hold up pay­ment of a claim while it’s waiting for the individual to verify it, although Christine Arevalo, ID Experts’ vice president for health care fraud solutions, says the firm “can modify our approach based on each health plan’s preference or business rules.” But, she adds, “Obviously, I envision a future where these transactions are approved or denied in real time.” The system would work best, Arevalo says, “the sooner the better” the individual can enter “the data stream in order to spot suspicious activity quickly.” However, “the limitations of the current ecosystem make that a dream for right now,” Arevalo tells RPP, especially because payers must meet requirements to process claims within a certain period of time. MIDAS “is not…standing in the way of claims being paid. We, like the rest of the industry, are typically forced to use a ‘pay and chase’ model whereby we follow the fraud after it’s occurred, and the claim has been submit­ted for payment,” she says. There Is Praise for the Concept Despite the fact that credit monitoring has now become de riqueur following a breach of PHI, CEs aren’t even required under federal rule to offer such services. Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP in San Francisco, points out that only the state of California comes close (but not very) to having some­thing of a mandate to this effect, following an 2014 amendment to its breach notification law. The amendment, which went into effect Jan. 1, states that, “If the person or business providing the notification was the source of the breach, an offer to provide ap­propriate breach prevention and mitigation strategies, if any, be provided at no cost to the affected person for not less than 12 months, along with all information neces­sary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information” as defined by California law. Hirsch notes that this is not a mandate because of the qualifier “if any,” regarding the provision of breach-relat­ed services. And it doesn’t mention protection from the March 2015 Report on Patient Privacy 3 Copyright © 2015 by Atlantic Information Services, Inc. Reprinted with permission from Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com   risks of medical identity theft, which Hirsch says there is “definitely a need for.” “I think something like [MIDAS] would be very valuable,” Hirsch adds. John Halamka, chief information security officer for Beth Israel Deaconess Medical Center, agrees. “That sounds like a very interesting service,” he tells RPP. Halamka sees an additional benefit, that of patient en­gagement. He isn’t sure how much true medical identity theft is happening; he’s aware of only one case at BID­MC, which involved a patient coming to his emergency room without insurance and with false identification. “There are two separate issues,” Halamka says, but they can overlap. “If I am a Medicare mill in Florida, I can gin up phony medical records” and make claims to Medicare, he says. That’s Medicare fraud. But if the iden­tities of real people are used and the payments or servic­es go into their records, that’s medical identity theft, too. BIDMC has had a secure patient portal since 1999, which some 250,000 patients use, he says. Massachusetts has an all-payer claims database, which mails explana­tion of benefits documents to patients. Something like MIDAS “would be a great service to a payer,” he says, and can serve as a “check and balance” for both the payer and the patient. He says the best way to engage patients is to “push” the information out to the patient the way MIDAS does when a claim comes in. “I am a big fan of engaging the patient and the family,” Halamka says, noting that this is also a requirement under meaningful use programs that provide payment for adoption of electronic medical records. Engagement is an area where groups are having the most trouble, he says. Contact Katie Paullin at katie.paullin@modahealth. com, Kam at rick.kam@idexpertscorp.com, Arevalo at christine.arevalo@idexpertscorp.com, Hirsch at rhirsch@ morganlewis.com and Halamka at jhalamka@bidmc. harvard.edu.

0

Article

IAPP Global Privacy Summit 2015

Anytime you get to listen to folks like Glenn Greenwald, the journalist who brought us what was happening inside Edward Snowden’s mind, it is going to be an interesting few days.  Some of the high points from that session alone, the comments around why Snowden risked life in a federal prison for disclosing what he did.  The answer, "It would be less painful to go to a federal prison than to live with the amount of data the US government was collecting on individuals without their knowledge and consent.  To the extent the government is setting massive data storage facilities and basically working not he directive to “collect everything” on the internet so they can review it later for some not yet determined reason.”  The comments certainly make you believe that there is a lot more than one would expect to be recorded for "national security” proposes.  We all know that there is a massive amount of data being created each day, but we haven’t yet begun to understand the impact it will have on our lives at some point in the future.     This was cemented for me when Michael Sandel took the stage.  He is a professor of Harvard’s most popular course to date, “Justice” Sandel explores ethical dilemmas around the world—including the data collection world; and at IAPP, he walked the crowd of about 1,500 people through what felt like a small classroom lecture on privacy and philosophy.  He asked audience members about their personal opinions on issues like Uber’s “God view,” and the statistics tracked by wearable fitness devices.  What made it interesting was that he was personable enough to ask specific members of the audience questions and follow up questions to pull out their real opinions.  Where does privacy start and where does it end?  Can you pay for privacy?  Does paying for privacy violate the right of those who can’t afford it?  It was amazing how quickly he could present the opposing view and even alternate views with several current privacy issues our world faces.     This was a great start to the conference and had the crowd energized for rest of the sessions.  This also came through in the exhibit hall where we had a constant stream of visitors and fielded questions about incident response management, and how we incorporate our global services and software platforms to help the prospective clients that where roaming the halls.  I was amazed at how many of the who’s who of Corporate America’s chief privacy officers were represented at the conference and paid us a visit to learn more.  It was also great to see that many of the attendees were beginning to look at these risks as more of an Enterprise Risk Management issue than something just the Chief Privacy Officer needs to tackle.     See you in Las Vegas next year where I am sure everything will remain private, because what happens in Vegas stays in Vegas, right?

0

Article

2015 PHI Protection Network Forum - A Time “Before…

It is 10:33 am the day after attending the third annual PPN Forum in Orange, California on February 19, 2015.  I am sitting in seat 26D at the back of Alaska fight 587 traveling home and reflecting on the highlights of the forum. The key message at the forum was that mega data breaches starting with Target in December of 2013 through the recent breach of up of to 80 million members of Anthem has created a “window of opportunity” for PHI Protectors to advance their cause of better PHI security.    Here are a few highlights from the day…   Dick Wolfe recognized with the first “PHI Hero” Award:  The morning started with us honoring Dick Wolfe, a good friend and colleague with the first “PHI Hero” Award. Dick made a significant contribution to the protection of health information before his passing last November.  Dick’s daughter, Melissa Johnson, was there to accept the award on her father’s behalf and said how much she really appreciated hearing about the important work her father did during his 30 year career and understanding how important his role was to protecting our health information.   Average Persistent Threat: Larry Clinton, President of the Internet Security Alliance set the tone for the conference highlighting the challenge PHI Protectors have in healthcare with investment down and the challenge of advanced persistent threats becoming the “Average Persistent Threat”.  It is now commonplace for cyber criminals to use sophisticated methods and tools to attack and breach an organization’s security defenses.  He said there are now only two kinds of organizations - those that know they have been breached and those that don’t know they have been breached.  The reality is every organization is at risk of cyber-attack and breach of sensitive personal data, intellectual property, and other trade secrets.   Delineation now exists in time before the Target breach and after the Target breach: JD Sherry, VP Technology and Solutions from Trendmicro, asked each panelist which Looney Tune character best represented their role?  The panelists all agreed it was the Wile E. Coyote because no matter what he tried, the Road Runner always got away.  The bad guys always seem one step ahead of the good guys regardless of effort or technology they implement.  JD asked how their jobs had changed over the past 24 months.  A key point made by this panel was “we now refer to time as Before Target and After Target”.  Dustin Wilcox, CISO at Centene said before Target, he met with his executive team for 15 minutes once a quarter, but after the Target breach, his board members and executives began calling him at home asking questions about how to avoid a Target-type breach and giving him the necessary resources to implement security initiatives faster.   Value of A Cyber Insurance Policy:  David Finn, Health IT Officer from Symantec led his panel on a discussion of the legal and regulatory issues and consequences.  The panelists highlighted the benefit cyber liability insurance can have in mitigating the financial impact of a breach.  Kim Holmes, VP Product Development at One Beacon said one big mistake entities make is believing that their current general liability insurance policy covers cyber risk. Sean Hoar, Partner at Davis Wright Tremaine cautioned about knowing what is covered and what is not and whether the policy had specified vendors you had to use as part of the coverage.  He commented that if if you already have a relationship with an attorney or breach services provider, the policy may exclude you from using them.  Andrew Serwin also talked about when to use attorney client privilege to protect confidential information and suggested considering invoking this protection when doing a risk assessment in case this information discloses cyber risks an organization decides to accept.   4 Threats are Big Data, cloud, mobile, social media:  Greg Bassett, VP of Service Delivery at Clearwater Compliance introduced his panel by stating the value of a information in a patient health record is worth 20 to 50 times of a social security number on the black market.  Big Data, cloud computing, mobile (BYOD), and social media are what is keeping security and privacy professionals up at night.  And on top of all of this risk, is “risk of the unknown.”  Jerry Sto. Tomas, CISO Allergan, shared a story about a recent hostile takeover attempt to create a possible security breach.  The panel shared that there is a shortage of security professionals available for hire in the market, creating more opportunity for risk.   What I Learned from Chinese Hackers: This panel focused on approaches to protecting PHI and was led by James Christiensen, VP of Risk from Accuvant.  Eric Cornelius, Director of Critical Infrastructure and Industrial Control Systems at Cylance shared what he learned from hackers who use existing tools to breach a network. He said Chinese hackers will use the standard utilities that come prepackaged with Microsoft to gain access to a secure network.  He also said that with zero additional investment, an entity could use these same free tools and do a better job of detecting a breach. Chris Strand, Sr. Director of Compliance at Bit9 and Stephen Bono, Principal at Security Evaluators also talked about the need to focus on the basics in cyber security - people, process, and tools.    San Diego Health Connect is proof there is value in sharing health information:  Good news was shared by Dan Chavez, General Manager of San Diego Health Connect, a health information utility that connects providers, patient and Health Information Exchanges (HIE). Dan believes that the success his health information exchange is based on creating a platform with federated data that improves health quality outcomes.  He stressed that all the stakeholders including major provider systems, government agencies, and business associates agreed to play by the same rules, which fosters information exchange without competition.   The common enemy between doctors and CISOs is the compliance officer: When Dr. Jay Smith was asked how PHI Protectors could do a better job engaging doctors in compliance; he said that the enemy is the compliance officer.  But he followed up with the sentiment of “give them a role and voice at the table and they will come.”  Ray Ribble, Managing Partner at All Medical Solutions asked his panel to suggest ways PHI Protectors could get involved with efforts inside and outside of their organizations after the conference, which  lead to a discussion about engaging with alliances such as the Medical Identity Fraud Alliance, NIST, and ISACS.    Thank you again to the sponsors, speakers, and attendees for making this a wonderful information sharing and networking event.  Please join the conversation on the LinkedIn Group and participate in the ongoing dialogue. As our panelists said, we have a tremendous window of opportunity now to make an impact -- patient privacy and security is about all of us.

0

Article

Award winning RADAR now supports international data…

Come experience the new global RADAR at the IAPP Global Privacy Summit[EL1]  Domestic and international data privacy and protection laws are undergoing continuous tinkering by regulators to counter the growing erosion of our privacy. Internationally, the European Union is advancing its data protection directive and in 2014 the Court of Justice of the European Union issued a ruling on the 'right to be forgotten', in relation to online search engines (http://ec.europa.eu/justice/data-protection/). To help our clients effectively navigate this complex and evolving maze of domestic and international regulations, we have expanded RADAR’s regulatory incident response management scope to include international data protection laws.[DP2]    Section header: Complexity increases for domestic privacy laws Domestically, the mix of federal and state privacy and breach notification laws seem to fuel more complexity.  On the heels of the administration’s announcement to pass a new federal breach law- The Personal Data Notification and Protection Act- the New York attorney general announced that he intends to propose a state bill that would expand his state’s “outdated and toothless” consumer protection measures and expand the definition of what constitutes private information.  Which means more data breaches and notifications to affected individuals.  [LM3]  We’ve just entered 2015 and there’s already a debate going on in Minnesota about not allowing preemption of the state privacy law by the federal law (http://healthitsecurity.com/2015/02/20/minn-organization-testifies-on-patient-privacy-law/).  New Mexico has revived its attempt to become the 48th state with its own privacy law.  Indiana is working on making sure that its privacy law applies to  data owners who are not doing business in the state.  New Hampshire is trying to expand student data laws to deal with online privacy and breach notification.  And Wyoming wants to amend its data breach notification law to include medical information, biometrics, on-line account information and require offers of identity theft prevention services, taking California’s lead. Section header: Come experience RADAR in action at the IAPP Global Privacy Summit – Booth 420! Come experience RADAR’s new international resource library at the IAPP Global Privacy Summit in Washington, DC on March 4th through March 6th 2015. (https://privacyassociation.org/conference/global-privacy-summit-2015/)[LM4] [DP5]   [EL1]If you’[re not going to mention IAPP in the supporting paragraphs to this section header, then I suggest you change the section header to something about just the international laws. Otherwise, lead off about the IAPP event.  [DP2]Link to datasheet  [LM3]I understand more notifications but how does this law drive more data breaches?  [LM4]Seems like this just abruptly ends. Suggest we add a couple of sentences to give it a proper close and focus on how the integration of international will provide our global clients the only integrated view – or something like that .  [DP5]Agree, this needs more meat. 

0

Article

Anthem Breach Highlights Limited Public Awareness of…

The massive data breach recently announced by Anthem Inc., the second largest U.S. health insurer,  provides a perfect example of a limited understanding by media and many “experts” of the full spectrum of risks resulting from data breaches in healthcare organizations. While breaches like this one at Anthem do put consumers at risk of financial identity theft, it is the threat of medical identity theft and fraud that is more serious and less well understood.   In the eyes of most people, every data breach puts consumers at risk for identity theft,which leads to bank account fraud, credit card fraud, and tax fraud –all  things financial.  As an example, Forbes coverage of the Anthem breach (6 Ways to Protect Yourself after the Anthem Data Breach, February 5, 2015) provides conventional advice, the same treadmill of check your bank statements, check you credit cards, change your password, order your credit report. That is all good, albeit generic, advice but it completely ignores the risks of medical identity theft and fraud.   Because the compromised data included both health insurance member indentifiers as well as social security numbers, the major risk here is medical identity theft.  This can happen a number of different ways but the two most common are 1) someone uses your medical identity to obtain medical goods, services and prescriptions pretending to be you or 2) a devious individual (often organized crime) uses your medical identity to bill your insurance, Medicare or Medicaid for all kinds of medical goods, services and prescriptions without your knowledge.  The huge problem here is everything that is done by the fraudulent person goes on your personal medical record as if you did it!     Suddenly the next time you go to a doctor or emergency room they will pull up your record (which is now an electronic health record) and most of the things on there are not you.  Your pre-existing conditions, your allergies, your drug interactions, possibly even your blood type may have changed. Medical identity fraud can literally kill you.  So pardon my frustration when 90% of the major media outlets never even mention that.     Is that possibly because medical identity theft isn’t as prevalent as I think? As it turns out, to the contrary, medical identity theft is the fastest growing identity crime in the country affecting, over 1.8 million Americans according to the 2013 Ponemon Study on the subject.    But all is not lost, some of the media coverage on the Anthem breach is starting to dig into the risks of medical identity theft.  NBC News has taken a broader view of the risks inherent in the Anthem breach in their coverage. Their article (Anthem Hack: Credit Monitoring Won’t Catch Medical Identity Theft, Feburary 5, 2015) actually talks about the problem and points out correctly that credit monitoring is largely useless to protect consumers from medical identity theft. They point out many of the risks and give some advice on how to detect if you may have a problem.   What was not reported in this article, however, is that there is now an effective alternative solution to credit monitoring that focuses on protecting consumers from medical identity theft.  It is MIDAS – medical identity theft alert system – a software and services solution created by ID Experts specifically in order to address the risks of medical identity theft. MIDAS notifies the consumer every time a healthcare provider makes a claim against their medical identity.  You simply confirm that yes, you saw that provider on that date and received that treatment or product.  Of course, if you don’t recognize the claim being made we then have a potential serious issue that will be followed up on immediately.  No more wondering if someone is fraudulently using your medical identity.    One last note…if you care about the serious topic of medical identity theft, there is a recently created non-profit organization called the Medical Identity Fraud Alliance (MIFA) that has a mission to educate consumers (and the media) of this growing problem. As big as it is, pretty much everyone agrees the Anthem breach will be just one of many healthcare breaches in the coming months and years and now is the time to start arming consumers with a way to fight back

Have questions? We'd like to help

Let's discuss your specific needs & how we can support your strategies

Get the latest intelligence in your inbox

Learn about the latest solutions, tools, case studies, & regulations from industry experts