Medical identity theft incidents increased 21.7 percent in 2014, according to the “Fifth Annual Study on Medical Identity Theft,” which was released by the Medical Identity Fraud Alliance (MIFA) and conducted by the Ponemon Institute.
More than a thousand people in the U.S. participated in the study, all of whom identified themselves as victims of identity theft, Ann Patterson, SVP and program director at MIFA, told SCMagazine.com in a Friday email correspondence.
In the study, medical identity theft occurred when a person's information was used by another to fraudulently receive medical services or prescription goods, and includes attempts to commit fraudulent billing.
Patterson said the increase in medical identity theft over the last year is attributed to a variety of factors, including healthcare-related data breaches.
She said that the rise of electronic health records (EHR) and other forms of digital protected health information (PHI) “creates a larger attack surface for cyber criminals,” and added that the increasing number of connected devices has created more entry points for attackers.
“At the same time the industry is being flooded with EHRs, the monetary value of medical identities is much higher than other forms of PII (personally identifiable information),” Patterson said. “This creates a very lucrative proposition for data hackers – a lot of digital records that are worth a lot of money.”
Not all medical identity theft is enabled because of hacking, Patterson noted. She said that stolen computers, laptops and mobile devices containing EHR or PHI puts data at risk, as do insiders who access sensitive information – possibly for malicious purposes.
So what, then, are the repercussions of medical identity theft?
One of the bigger effects appears to be cost – in the study, 65 percent of medical identity theft victims said they had to pay an average of $13,453.38 to resolve the issue. Those costs could include payments to healthcare providers and legal fees.
“Unlike the financial services industry where the Fair Credit Reporter Act limits a victim's liability to $50 if your credit card is fraudulently used, a similar provision does not exist in the healthcare sector,” Patterson said. “The cost is borne throughout all the stakeholders – it may be the victim, the healthcare provider or the health plan. There is no uniform practice.”
45 percent of respondents said that medical identity theft negatively affected their reputation – of those, 89 percent said they were embarrassed by the disclosure of health conditions, 19 percent said they missed out on a career opportunity, and three percent said they lost their jobs.
In the end, only 10 percent of respondents reported having achieved a completely satisfactory conclusion, and those who did reported spending an average of more than 200 hours ensuring the issue was completely resolved.
From a technology perspective, addressing the problem of increasing medical identity theft involves the healthcare industry staying alert for vulnerabilities, deploying layered security controls, and sharing information, Patterson said.
The study also notes that 53 percent of respondents believe their healthcare provider's negligence caused or contributed to the medical identity theft. Of those, 50 percent said trust and confidence in their healthcare provider diminished significantly, and 35 percent said trust and confidence somewhat diminished.
Furthermore, 48 percent of respondents said they would change their healthcare provider if informed that their medical records were lost or stolen.