Home page logo

dataloss logo Data Loss mailing list archives

Having your financial identity stolen is awful. Having your medical identity stolen is worse
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 5 Feb 2014 19:11:41 -0700


Most of us tightly guard our credit cards and bank account numbers, but
health insurance policy numbers are also prime targets for thieves. An
estimated 1.84 million people were victims of medical identity theft in
2013, according to the Poneman Institute, a research organization, which
expects that number to rise.

Victims often don't realize they've been targeted until they discover a
drop in their credit score or until a collection agency comes after them
for unpaid medical bills, says Jim Quiggle, director of communications for
the Coalition Against Insurance Fraud, a group that includes insurers,
consumer activists and government officials. While most of the cost of
medical identity theft is borne by the health-care industry and government,
the Poneman Institute estimates that about 36 percent of victims in 2013
incurred out-of-pocket costs such as reimbursements for services provided
to impostors, legal fees and identity protection services. The average cost
for these victims amounted to $18,660; in a few cases, it exceeded $100,000

Medical identity theft can happen in several ways. In one common scenario,
the criminal persuades a consumer to divulge his health insurance number.
Strategies for collecting these numbers can be highly sophisticated,
especially when crooks operate in teams,Quiggle says. "They might invite
seniors to bogus health fairs where they take their blood pressure and give
them some nutritional supplements and ask to see their Medicare cards."

Jennifer Trussell, who investigates medical identity theft for the
Department of Health and Human Services' Office of Inspector General, has
seen cases where criminal rings target senior centers or homeless shelters
and offer people $50 for, say, their Medicare number. "That information is
sold again and again," she says.

Even though the victims in these instances voluntarily share their numbers,
they may not realize the impact, Quiggle says. "They'll discover to their
horror that their Medicare account is being rifled and even maxed out by
thieves who are making false claims against their policy."

Some cases are perpetrated by employees of medical offices or even
health-case providers. Trussell worked on a case involving an Iowa
chiropractor who had lifted the names and dates of birth of more than 200
patients to collect fraudulent Medicaid payments. In another case, a
Baltimore pharmacy owner and two employees were indicted for allegedly
submitting bogus claims for prescription refills to Medicaid and Medicare.

Sometimes medical identity theft happens with the cooperation of the
victim, who allows a family member or acquaintance to use his health
insurance card to obtain care. Poneman Institute founder Larry Poneman says
these "Robin Hood" crimes comprised 30 percent of the medical identity
thefts his group studied in 2013.

Giving your insurance number to someone in need might seem like a generous
thing to do, but it's still a crime and you could suffer consequences if
the visits rack up bills that go unpaid or result in incorrect additions to
your medical records, Poneman says. If an impostor's blood type or medical
condition gets added to your record, you could end up receiving
inappropriate or even life-threatening treatment.

Electronic medical records make your medical data easier to steal, because
any clerk with access to patient records can load patient information onto
a thumb drive and sell it to cronies or crime rings, Quiggle says. And
because the Internet makes electronic records easy to share, tracking down
all the providers who have received incorrect data can be difficult.

So how do you protect yourself? Never give your medical identity
credentials to anyone but those with a legitimate reason for needing this
information, such as the billing person at your doctor's office, Quiggle
says. Treat with suspicion anyone who asks you for your insurance number
without a good reason, and never give these numbers to telemarketers or
callers conducting "health surveys."

Closely scrutinize the "Explanation of Benefits" or "Medicare Summary
Notice" documents that are sent to you to make sure that you actually
received the services and products listed, he says.

If you see anything suspicious, ask to see your medical record to look for
mistakes or evidence that your identity has been compromised. "A lot of
people don't realize that they have the right to read their medical
records," Poneman says. He recalls a case where a woman who stood more than
6 feet tall went in for bypass surgery; her medical record, however, showed
that she was just over 5 feet tall because, unbeknown to her, an impostor
had used her identity to receive care. Had she been given anesthesia and
other drugs based on the impostor's size, she could have faced serious
problems with the surgery.

Think twice before sharing detailed medical information on social media,
Trussell says. Posting a medical diagnosis on social media is akin to
posting your address along with the dates that you'll be away on vacation.
An impostor could use that information to obtain services that might not
raise red flags with your insurer. For instance, if you tweet about your
diabetes diagnosis, Trussell says, it's possible that "next thing you know,
you're getting diabetes test strips you didn't order or receive billed to
your insurance company."

If you discover that your medical identity has been stolen, your first step
should be a call to the police, Ponemon says. Next, call the Federal Trade
Commission's identity theft hotline, 877-ID-THEFT or report the problem
online at www.ftc.gov/idtheft. Report Medicare- or Medicaid-related crimes
to oig.hhs.gov/fraud/hotline or by calling 800-HHS-TIPS.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • Having your financial identity stolen is awful. Having your medical identity stolen is worse Audrey McNeil (Feb 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]