How Medical Identity Theft Works, and How it Can Impact You

Posted by Scott Petry

Find me on:

Jun 7, 2016

Image: Patients in Waiting Room with Chart: Indivituals Impacted by Healthcare Data BreachesIDENTITY, SECURITY

The healthcare industry currently tops the target list of cyber criminals, according to IBM’s 2016 Cyber Security Intelligence Index [PDF]. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data (Ponemon Institute) reveals that 89 percent of healthcare organizations and 60 percent of their business associates experienced data breaches over the past two years.

Recently, ransomware attacks (incidents where hospital data are encrypted and only released after a ransom is paid) have dominated the headlines. But most data breaches within the healthcare industry involve an even more lucrative target: medical records and related Personal Identifiable Information (PII), like Social Security numbers.

What does this mean for you? Medical identity theft via computer comes at staggering cost to the victims. They have to pay a steep price to get their life back: on average more than $ 13,000, according to one study. To make matters worse, victims can find themselves cut off from their doctors or get misdiagnosed, due to fraud-related errors in their medical records.

How to protect yourself? 

***

Why would anyone want to steal medical records? The answer may surprise you. Your medical information is worth serious money on the black market. It can be used to purchase prescription drugs, which the thieves then resell at a profit.

Or they defraud an insurer, funneling payments to an alternate account under their control. Your data may also be sold to a desperate uninsured person who then can receive treatment, in your name. And stick you with the bill.

Sounds far-fetched? It happens more often than you would think, as this Wall Street Journal story illustrates. While banks and credit card providers have real-time fraud detection and customer notification mechanisms in place, healthcare data are still woefully underprotected. A wave of criminal ransomware attacks on hospitals nationwide highlights this problem.

Chart for blog post: Medical and personal information theft through data breaches at health organizations

Healthcare is a $3 trillion (yup, that’s three thousand billion) dollar industry in the U.S. Yet  healthcare providers still make do with an aging, often outdated computer infrastructure.

Let’s face it: With the lengthy healthcare notifications that most of us never read, the odds are against us that you would recognize if someone received treatment or made an insurance claim in your name. If your medical data is stolen and used inappropriately, you won’t know about it for a very long time.

As early as  2014, the FBI warned that U.S. healthcare providers needed to clean up their act. Since then, the situation has only gotten worse.

2015 was a record year for organized computer criminals. By conservative estimates, more than 100 million records with personal identifiable information (PII) were stolen. Attackers plundered the digital files of some of the nation’s largest insurance companies and healthcare providers, including health care giant Anthem.

The attackers also helped themselves to the medical records of rural hospitals, metropolitan medical centers, and family doctors’ offices.

While we can’t personally safeguard our data stored on the servers of healthcare networks, we can learn how to better protect ourselves.

Five Steps to Protect Your Medical Identity Online

If you have not been hit yet, brace for the worst. Take these steps to protect your medical identity online:

  • Visit the website of the Medical Identity Fraud Alliance, which provides helpful prevention tips and first aid for medical identity theft.
  • Get a copy of your medical records. Review them and flag any suspicious or fraudulent entries. This guide from the Center for Democracy and Technology will help.
  • If you detect incorrect information in your medical records, you may be able to amend your files. The process is complicated and laws vary from state to state. This FAQ by the World Privacy Forum will walk you through the process.
  • If you have reason to believe you’ve become a victim of medical identity theft, file a police report. This won’t get the detectives tracking down the bad guys, but it can be important when you ultimately dispute charges.
  • If you receive a call from a debt collection agency, use the Fair Credit Act to your advantage. Immediately submit a dispute, following the steps published by the Federal Trade Commission.

One more thing: Let’s talk about your browser.

It’s true that you can’t control how careful healthcare providers are with your data. But better be safe than sorry, or, as Benjamin Franklin put it: “An ounce of prevention is worth a pound of cure.”

Online prevention of (medical) ID theft starts on your own computer - with your browser:

Surprised? Bear with me. Malicious software is known to jump from poorly secured websites or WiFi networks of hospitals or medical practices straight to the computers of patients and their families.

One recent example is the Norfolk General Hospital in Simcoe, Ontario (Canada), which  was attacked using an exploit kit called “Angler”. This software tool is used by criminal attackers to sneak malware onto the computers of their victims.

Because the intruders managed to infect Norfolk General’s website as well, the exploit was able to spread to the computers of patients and family members visiting the site.

This infection was made possible by the way regular Internet browsers work. The browser’s design is rooted in the 1990s, a time when nobody thought about web security.

Medical Identity Theft blog post illustration: individuals affected by healthcare data breaches.jpg

Traditional browsers all have one thing in common:  When they connect to a website, they download code. They then execute that code in order to display the page. That simple process opens significant security holes that can make it easy for hackers to monitor you, steal your data, or worse, take control of your computer or mobile device.

Trying to “harden” a local browser - whichever one came with your computer - with security plugins and add-ons will not fully protect you. Such digital band-aids don’t fix the fundamental vulnerability - that your browser processes all that web code locally, on your computer. 

Silo completely removes that vulnerability. That's why I think it's the better response to web-borne threats, and many computer security experts agree.

Silo is a disposable browser built in the cloud - our cloud, where we process all the code and absorb possible attacks. They won’t go anywhere:  Instead of web code, Silo transmits only images of the web pages back to your computer, via an encrypted connection.

When you're done, Silo deletes itself, purging all the cookies, trackers or other malicious code you may have picked up in the session. There’s a lot more to it than this basic description can convey. To find out more, try Silo for free: https://go.authentic8.com/intro

###

About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.

See also Scott's review of Adam Tanner's book Our Bodies, Our Data on this blog: What They Really Do With Your Medical Data

Topics: Identity, Security