Insurance & Risk Management: Thwarting Thieves

Medical identity theft is a growing problem, especially amid the rise of electronic medical records. The issue affects both patients and providers.

By Craig Lovelace
From the May 2013 issue of Columbus CEO

When the personal information of 78,000 people was lost through a data breach at the Ohio Area Agency on Aging in Mansfield, the public learned about the 2011 incident almost immediately through the agency’s own admission and reports in the media.

What isn’t known, and what some say is a more nefarious element of breaches, is whether any of the purloined data found its way into a hospital, a doctor’s or dentist’s office, or any other health-care facility and was used to secure services under the name of someone whose information had been stolen.

The breach at that point is elevated to medical identity theft, which health-care and technology experts say is a growing concern without a clear solution. Aiding its rise is the pervasiveness of unsecured mobile electronic devices, a federal requirement that health-care facilities switch to electronic recordkeeping and a disjointed approach in addressing the issue.

“I think that this is ready to explode,” says Phyllis Teater, chief information officer at the Ohio State University Wexner Medical Center, “and the biggest concern we have in the medical community is that it is unsafe.”

Pilfered medical information is used to secure health-care services including those from taxpayer-supported Medicaid and Medicare. The most commonly stolen information is patient medical files and billing and insurance cards. Teater says providers’ big worry is the comingling of medical information of the victim and thief, which can threaten or impair treatment for the victim.

Not only is medical ID theft dangerous to those whose data is misused, it also poses a risk to health-care organizations, whose approach toward the issue has been less than stellar, says a data security expert in Columbus.

“Health care traditionally has been a sector that sees itself as being above the crass commercial world of commerce,” says Matt Curtin, founder of Interhack, whose clients include health-care institutions across the country. “This has been coming for years, so it should be no surprise that we should expect more exposure.”

A Growing Problem

The Federal Trade Commission reported that medical identity theft occurrences spiked 61.5 percent in 2012 from the previous year, while the World Privacy Forum says medical identity theft affects 1.5 million Americans and costs more than $30 billion.

Furthermore, the average data breach costs health-care organizations $2.4 million, an increase of $400,000 from 2010, according to a 2012 report from the Ponemon Institute, a Traverse City, Mich.-based privacy, data protection and information security research organization.

The loss of private medical information occurs most commonly because of the theft of a laptop computer (as was the case at the Agency on Aging), an unintentional employee error or an action involving a third party, according to Ponemon. Increasingly, the study revealed that criminal attacks on IT security comprise a larger percentage of listed reasons for medical ID theft, increasing to 33 percent in 2012 compared with 20 percent two years earlier.

Attorney Lisa Pierce Reisz, a partner at Vorys, Sater, Seymour and Pease, says there have been cases of people taking jobs at medical offices solely to steal patient information. She frames the landscape this way: “The privacy folks are trying to catch up to the bad guys.”

Patient privacy rules fall under HIPAA, the Health Insurance Portability and Accountability Act of 1996, although Reisz says not everyone is up to speed with compliance. “We are now 15 years into this, and we have clients who have done nothing,” she says.

That will change Sept. 23 as HIPAA rules are expanded to help consumers protect and control their health information in a digital age. Additionally, tougher penalties for disclosure violations take permanent effect under the Health Information Technology for Economic and Clinical Health Act (HITECH), whose final rules were announced in January. Reisz says HITECH gives the federal government teeth in privacy governance issues.

‘Wall of Shame’

One of HITECH’s rules requires medical enterprises to report to the U.S. Department of Health & Human Services any data breach that affects more than 500 people. HHS then posts them online for public viewing on a page titled the “Wall of Shame.”

Its most recent data shows 12 Ohio medical facilities experienced breaches between 2010 and December 2012 that affected at least 500 individuals (see “Ohio Patient Data Breaches”). Overall, the information of 176,392 people was stolen, with the Mansfield aging agency the largest single breach.

Two other Central Ohio facilities made the list as well: OhioHealth’s Grant Medical Center suffered a 2010 breach affecting 500 individuals, and Westerville Dental Center experienced a breach in December affecting 850. OhioHealth declined an interview, and the dental center did not return a call for comment.

For those affected by medical ID theft, it can take months of time and thousands of dollars to fix the damage. Some like Interhack’s Curtin say that unless medical facilities adopt more aggressive strategies to proactively address IT breaches, they are exposing themselves to a lot of problems. He says the cultural infrastructure at some health-care providers results in a decentralized approach where everybody is doing their own thing—using different software, for instance—without looking at the bigger picture.

“In my view, health care is a unique business because they refuse to think of themselves as a business. What that means,” Curtin says, “is that the clinicians are in charge. There are health-care systems where the CIO has no control of the clinicians. There are some that have a CIO and a CIO for the clinicians.”

A 2012 study by Carnegie Mellon University’s CyLab surveyed 108 board members and senior executives from Forbes Global 2000 companies that showed a significant gap in their understanding of the link between IT risks and enterprise risk management. According to the findings, 57 percent of respondents aren’t seriously analyzing their company’s cyber insurance coverage, their cyber risk management practices or what financial risks might result from the theft of proprietary data and security breaches.

Rick Kam, co-founder of ID Experts in Portland, Ore., says a central issue with medical ID theft is attaching a value to the stolen information because the issue is so new. “The boards that manage health-care enterprises are doing business as usual and don’t recognize the value of your information,” he says. “The system we use is as old as the Industrial Revolution.”

Kam says he worries about patient information stored in the cloud or accessed through unsecured mobile devices. The switch to electronic recordkeeping hasn’t helped, he adds.

Some Central Ohio hospitals are working to combat the theft of patient information. Teater says Wexner Medical Center staff members flag suspicious information, such as a person who has tonsils although the medical record shows none, and follow up.

Mount Carmel Health System has encrypted all patient information, says Tom Enneking, regional information security officer. The system also restricts employees’ access to records and brings in a third party to assess risks. “We do it proactively and routinely,” Enneking says.

On the horizon, look for photographs and biometrics to become part of your permanent medical record, theoretically ensuring those private medical files remain so.

Craig Lovelace is a freelance writer.