Medical ID Theft Spreads

1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds

Identity theft isn't just credit- and debit-card account or Social Security number theft anymore: Cybercriminals are targeting health insurance and other personal information to peddle or execute medical fraud for surgeries, prescription drugs, and medical equipment. A new report published Thursday shows how quickly this medical identity theft is growing, with 1.84 million Americans falling victim to this form of fraud.

Medical identity theft is costly -- victims paid $12 billion out of pocket last year -- and it can be literally lethal, according to a new report by The Ponemon Group. "Medical identity theft is contributing significantly to the high costs of health care," says Robin Slade, development coordinator for the Medical Identity Fraud Alliance, which, along with ID Experts, commissioned the report. "With financial fraud, you recover most of the losses incurred. But medical identity theft has the potential to impede medical treatment and to potentially kill you. The fraud causes your medical records to be contaminated by the medical information of the perpetrator. And very few consumers are aware of it."

Some 15 percent of medical ID theft victims say the fraud resulted in a misdiagnosis; 13 percent, an inaccurate treatment; 14 percent, a delay in treatment; and 11 percent, the wrong prescription drugs. Half of those patients say those issues have not been resolved, according to the report.

Some 313,000 new cases of medical ID theft were reported last year, and those were only the ones on record: Security experts say many aren't reported. So-called "family fraud" factors into the equation here as well, says Larry Ponemon, chairman and founder of The Ponemon Institute.

Some 30 percent of the respondents say they have allowed a family member to use their personal IDs to receive medical treatment, health care products, or pharmaceuticals, and more than one-fifth of them don't know how many times they have done so. Nearly half of all medical ID fraud victims say they know who stole their identities but didn't want to report the perpetrators. And many don't realize it's illegal.

"It might be for a family member or friend suffering and who needs emergency care and is not insured, so they hand it over [their insurance card], and it's used to steal [services]," Ponemon says. "The family fraud issue is a very troubling finding."

The report underlines one of the big problems with medical ID theft: a lack of understanding of just what constitutes fraud, as well as the growing value of medical information. Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center, the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts last month co-founded the public-private Medical Identity Fraud Alliance to help fight medical identity theft. MIFA aims to unite key players and establish solutions and best practices, as well as educate consumers on how to empower themselves to protect their health information.

[Medical Identity Fraud Alliance debut a sign of the times as attackers set sights on valuable patient insurance and other health records. See New Consortium Formed To Cure Rise In Medical ID Fraud .]

Medical ID theft can take several forms: It can be the result of family fraud, a health care provider's online data breach, or physical theft of equipment storing the information, such as the break-in last month at an administrative office of the largest health system in Illinois, Advocate Medical Group, where thieves stole four unencrypted computers that contained Social Security numbers, health insurance, and other personal information of 4.03 million patients.

Most victims don't know how their medical information was exposed, Ponemon says. "A large segment of folks don' t know how it happened," he says.

Some 56 percent of the victims say they lost confidence in their health care provider in the wake of the fraud experience, and 57 percent say they would drop their providers if they were unable to protect their medical records. But most consumers don't do much to protect their medical information: Fifty-four percent say they don't check their health records because they don't know how to do so and are relying on their health care provider to take care of it, and 52 percent say they didn't report medical claims that appeared inaccurate.

Dan Nutkis, founder and CEO of the Health Information Trust Alliance (HITRUST), says health care organizations increasingly are being targeted by cybercriminals for both financial and medical information. "There's no question about it: There's been an uptick in healthcare [providers] being targeted," Nutkis says.

Attackers are placing and selling backdoors or other malware onto health care organizations' systems for other bad guys to steal information. "They have planted backdoors in health care organizations so they can sell access," Nutkis says.

Alex Balan, head of product management at BullGuard, which offers an online identity protection service for consumers, points to a data dump a few months ago that included victim names, dates of birth, addresses, height, weight, full credit card account information, insurance information, and even the type of cars they drove. "There were 20 to 30 columns for each individual [entry]," Balan says. It was enough information to begin to assume someone's identity.

Social engineering can provide a treasure trove of medical information for fraudsters, he says. "If you're trying to get services from a medical institution or a hospital, you need to know the entire scripts on what you're going to be asked, and what credentials [you will need, for example]," he says.

The full Ponemon 2013 Survey on Medical Identity Theft is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio