If recent disclosures regarding the massive wave of breaches suffered by retailing icons Target, Neiman-Marcus and Sally Beauty haven’t scared you enough, try to wrap your brain around the new Ponemon Institute Patient Privacy and Data Security study. The study has found a 100% increase in criminal attacks on health care organizations since 2010. But if that weren’t enough, they also found something far more disturbing.
“Despite concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year more than half of (these) organizations are not confident that the personally-owned mobile devices or BYOD are secure.”
According to the report, very few organizations require their employees to install anti-virus/anti-malware software on their smartphones or tablets, scan them for viruses and malware, or scan and remove all mobile apps that present a security threat prior to allowing them to be connected their networks or systems.
I don’t know about you, but that scares me to death. Because we live in a time when breaches have joined death and taxes as the third certainty in life, this is foolhardy at best.
What should concern you about these findings (and several others in the report) is that assaults on health care systems don’t simply create the potential to have credit cards stolen or checks redirected: it’s that hackers are getting access to your health care data (“protected health information,” or “PHI” in regulatory speak), and the real world consequences of that are far more devastating.
Medical identity theft is on the rise, just as the rise in criminal breaches of health care providers is spiking. Medical identity theft accounted for 43% of all identity theft reported in 2013, and the U.S. Department of Health and Human Services estimates that somewhere between 27.8 and 67.7 million people’s medical records have been breached since 2009 (and that’s before the flawed rollout of the Affordable Care Act).
So what happens if a criminal gets his or her dirty little hands on your pristine medical records?
To some extent, it depends upon how much information you have shared with your doctor. While it goes without saying that your physician will have all the requisite contact and insurance information for billing, he or she might also have information that they don’t necessarily need to have such as your Social Security number, your family names and/or birthdays (which are often passwords or challenge questions for your bank, credit card and brokerage accounts) and even financial information that could be used to access your bank or credit card accounts.
Your name, address, Social Security number and family information can be used not only to access your existing financial accounts (either directly or via social engineering), but also to open new lines of credit in your name. This is why it’s important to check your free annual credit reports, as allowed by law. You can also monitor your credit by using a free tool like Credit.com‘s Credit Report Card, which updates two of your credit scores every month. Any unexpected change in your scores can signal identity theft.
On top of these financial risks, your medical records provide a veritable cornucopia of information that can be used in other ways. For instance, once a criminal has your personal and insurance information, he or she can use it or enable another to gain access to the health care system in your name, contaminating your medical records with his or their co-mingled information. Nothing is more dangerous than going to a hospital and having “your” medical records, as used by an identity thief or his/her customer, reflect an inaccurate blood type, medical history or the existence or absence of certain allergies as you are trying to access care, particularly in an emergency situation.
If an impostor uses your insurance to gain access to health care, it can also affect your own ability to access care: many insurance plans have yearly caps on certain types of care – and no insurance company is going to pay for “one person” to have an appendectomy twice. An identity thief with access to your insurance could drain your coverage before you even know it’s happened – and leave you in the lurch when you need it.
There is of course another big target here, namely your prescription history. Prescription drug abuse was up 10% last year, according to the federal government, and the value of some prescription drugs on the street is on the rise. An identity thief could very well use their access to your medical records to get the prescription drugs you need for your own health and well-being – leaving you both without your meds and with a suspicious doctor or pharmacist wondering why you maxed out all your refills so quickly and are coming back for more.
Massive cyberattacks resulting in the types of breaches we saw at retailers during the past three months generate a great deal more headlines and arguably create a greater sense of urgency today than ever before, In reality, once credit and debit cards are replaced, for the most part, the immediate danger has passed. Subsequent phishing attacks by email, phone and text are more problematic but if consumers exercise care, damage can be contained and issues resolved. However, when it involves medical identity theft, the crime can be nearly invisible until there’s an emergency and the consequences can literally be life threatening.
Adam Levin is chairman and founder of IDentity Theft 911.