Medical Identity Theft is on the rise according to the latest Ponemon Institute research released yesterday. Ponemon estimates that 1.8 million people, just under 1% (0.8%) of U.S. adults, were affected in 2013, a 19% increase over 2012.
Based on survey data from self-reported cases analyzed by Ponemon, these cases rarely arose from a computer security incident or data breach caused by a provider. Only 7% of these cases were the result of a data breach and 5% were caused by a healthcare employee stealing the medical credentials. The full Ponemon report may be obtained here (registration required).
In 30% of cases, the “victim” knowingly shared their personal identification, usually with a family member or friend who had no insurance and/or couldn’t afford medical treatment or medications. For these cases, the term “medical identity theft” might be more accurately described as insurance fraud. In 28% of cases, a family member took personal identification or credentials without the victim’s consent. So, most of these incidents are family affairs.
The more significant impact to computer security is loss of data integrity. In addition to confidentiality, computer security requires that records be correct and unaltered. Approximately 29% of cases resulted in inaccuracies in medical records. When a perpetrator uses false credentials–at the same health provider used by the victim, inaccuracies in the victim’s electronic medical record result. According to the Ponemon survey, this has impacted the victim with misdiagnosis (15% of cases) and improper treatment (13% of cases). The survey also revealed that 55% of victims lost trust in their healthcare provider as a result. So medical identity theft creates multiple categories of risks — malpractice risk and computer security risk. Impacts include improper treatment, loss of revenue and reduced patient satisfaction (55% of those affected lost trust in their healthcare provider.)
Regarding the 7% of cases that arose from a data breach, one category of malicious actor could be related to meth amphetamines. A recent case in California involved breached medical records that were linked to illegal meth amphetamine labs. Sutter Health’s East Bay region may have been the source for 4,500 patient records recovered in a California meth lab investigation, according to an article in the San Jose Mercury News.
Prescription-strength medications may be superior raw materials to the OTC-strength drugs frequently associated with illegal meth labs. It appears in this case that the organization recruited “runners” who use forged prescriptions and stolen insurance credentials to fill these fake prescriptions all around town.
The computer security risk analysis requires that likelihood and impacts be quantified. The Ponemon study helps to quantify the likelihood of different impacts, both of which are low:
-The probability of a data breach caused by malicious actor (either inside or outside) by perpetrating identity theft is on the order of 0.1%
-The probability of inaccurate records as a result of a successful medical identity theft is on the order of 0.2%
Implementing various safeguards can reduce these risks. These safeguards include requiring proper identification of patients, conducting audits of insider record accesses to identify improper employee behavior, and implementing any/all of the myriad of measures to reduce penetration of the network by outsiders.
