A call about an account to health insurance company often requires a member to repeat his or her medical identification number, home address, Social Security Number (SSN), date of birth and other information to everyone they encounter. That annoying need to give the same data over and over is done in the name of protecting the confidentiality of the medical records. However, the biggest threat to the information is not from a random caller. Medical records being hacked via cybercrime or medical identity theft taking place is a far greater concern, and many question whether the health insurance industry can adequately protect the information.
Medical records are a sought-after target for hackers and identity thieves. But, as several high profile breaches (such as the Anthem Blue Cross of California one that exposed data on millions of insureds) have shown, the health insurance industry is not equipped to deal with the growing attempts at data breaches, security incidents, cases of identity theft and criminal attacks. That is by their own admission, according to a new report by the Ponemon Institute released on Thursday.
In its fifth annual survey about privacy and security issues facing healthcare organizations, the Ponemon Institute found that data breaches that are criminal and malicious attacks have are now the top cause in the industry. It used to be employee mistakes. The Institute’s 2015 Study on Privacy and Security of Healthcare Data is derived directly from information provided by the healthcare organizations as well as related companies that regularly deal with those healthcare records.
Ponemon gathered its information from representatives of 90 healthcare organizations and 88 related businesses in February and March 2015. The study also looked beyond data breaches to medical identify theft and other types of cybercrime incidents that are growing concerns in the health care industry. “Criminal attacks are up 125 percent compared to five years ago” according to the representatives surveyed, noted Larry Ponemon, the institute’s chairman and founder.
A whopping 91 percent of the healthcare organizations had at least one data breach during the previous two years. Forty percent reported having more than five.
Why should readers care? There are two critical reasons the increased threat of medical information cybercrime and identity theft impacts everyone:
- The healthcare industry is spending $6 billion a year on data breaches; those costs are escalating and result in higher premiums for everyone.
- The second reason is the growing threat of medical identify theft, incidents of which have doubled in the last five years. There were reportedly more than 2 million victims of medical identity theft in 2014.
Medical identity theft is worse than financial identify theft and even more difficult to clear up. Thieves have actually been known to use someone else’s medical identify to have surgery or tests done. Those records wind up intermingled with the victim’s. So, in the future, a doctor looking at past medical history might erroneously think the person has been tested for someone or had something treated.
Besides the medical information, of course, access to medical records also provides access to financial information like SSN, date of birth and even banking data. As a result, medical health records are invaluable to crooks. They typically sell from $60 to $70 on the black market versus about one dollar for just an SSN.
Additionally, there is little support for members whose data is breached and have suffered a medical identity theft. If a credit card if used fraudulently, the credit card company usually assumes the risk. The Ponemon survey found, however, that nearly two-thirds of the healthcare organizations do not provide protection services for patients whose information is stolen.
In 1996, the federal government implemented the Health Insurance Portability and Accountability Act (HIPAA) to make it easier for people to keep their medical insurance and protect their private health information. HIPAA is the reason it takes repeating information over and over again when calling a health insurance company – to protect the insured’s privacy.
Clearly more protection behind the scenes in terms of bits and bytes is needed in the health care and medical insurance industry (as well as other industries) to address growing concerns about cybercrime and identity theft. Making a caller repeat their data of birth five times does not exactly reassure them that someone else is gaining access to their medical and financial information simultaneously. The answers are not clear, but the need definitely is.
Opinion by Dyanne Weiss