The impact of recent cyberattacks and data breaches experienced by healthcare organizations is impacting individuals where it hurts the most – their wallets. A recent article in the Wall Street Journal covers the financial impact that individuals experience when their PHI is stolen. And according to a survey by the Ponemon Institute, 65% of medical identity theft victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.
Losses from medical identity theft
In many instances victims are unaware that their PHI has been stolen until they get a medical bill or a call from a collections agency. Since the thief used their PHI for medical care, their health data is now incorporated into the victim’s medical charts. Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now integrated with the victim’s, are protected by medical-privacy laws.
While the healthcare providers and insurers sometimes absorb losses from cyber theft, they often pressure consumers to pay. The burden of proof also falls on the consumers, requiring them to pursue legal measures in order to resolve unauthorized charges and debts. In many cases, consumers are stuck paying medical bills for services they didn’t receive. Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information. Other impacts of medical identity theft include having legitimate medical claims denied by insurance providers or having health insurance cancelled altogether.
As we discussed in our previous blog, Safeguarding Your Protected Health Information, cyber criminals are using protected health information (PHI) stolen from millions of Americans to get illegal healthcare, prescriptions and medical equipment. Fueling this theft is the surge in electronic medical records and date breaches at health insurers and healthcare providers. The Ponemon Institute estimates that medical identity theft affected 2.3 adult patients in 2014 – a jump from 1.4 million in 2009.
Medical identity theft has led leading healthcare organizations, including Blue Cross Blue Shield Association and Aetna Inc., to form the Medical Identity Fraud Alliance (MIFA). MIFA’s goal is to reduce the frequency and impact of medical identity theft throughout the healthcare ecosystem. Federal agencies such as the Department of Health and Human Services, Justice Department and Federal Bureau of Investigation are also stepping up joint investigations.
Federal health programs are also experiencing changes in light of medical identity theft. President Barack Obama signed a bill in April that requires the Office of Health and Human Services (HHS) to issue Medicare cards that don’t display, code or embed Social Security numbers. The action came in the wake of health insurer Anthem Inc.’s massive data breach that impacted the personal information of 80 million current and former customers and employees.
Despite these measures, individuals need to be vigilant in monitoring and safeguarding their PHI as well. Some actions to take include obtaining regular credit reports; reviewing medical records from doctors, pharmacists and hospitals, and monitoring insurance benefits. Individuals should take swift action if medical claims are denied – this could be a sign of identity theft. In this case, they should file an appeal with their medical provider immediately.
Concerned about safeguarding your organization’s PHI? The HOSTING team of certified information security and compliance experts stands ready to help. Contact us anytime with your questions about medical identity theft. And download our latest guide, Top 5 Compliant Hosting Answers You Need to Know.