Another health care data breach

Steve Weisman | for USA TODAY

Following close on the heels of the massive data breach at health insurer Anthem, the parade of hackings at major health care providers continues with the recent announcement of a data breach at UCLA Health System affecting 4.5 million people. The hacking appears to have gone on undetected since September of 2014 until its recent discovery. The compromised information is a treasure trove of personal data for identity thieves. It included names, Social Security numbers, medical records, ID numbers and addresses. But, as I always say, things aren't as bad as you think – they are far worse. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious.

Regular readers of my USA TODAY column should not be surprised at this continuing series of major data breaches at health care providers. It was one of my cyberpredictions for 2015 that I made in December of 2014.

Medical identity theft can not only result in your finances being threatened; the mixing of medical records of the identity theft victim with the medical records of the identity thief utilizing the same medical insurance can potentially be deadly, such as when a person might receive the wrong blood type for a blood transfusion. Compounding the problem is the fact that it is extremely difficult, and sometimes impossible, to remove the identity thief's medical information from the victim's medical records after the problem has been discovered, due to quirks in the medical privacy laws.

Medical identity theft is a bad problem that is only getting worse. While credit card identity theft financial liability is limited by federal law to $50, the majority of victims of medical identity theft paid an average of $13,500 to resolve the crime. In addition, according to the Ponemon Institute's Fifth Annual Study on Medical Identity Theft, "In many cases, victims struggle to reach resolution following a medical identity theft incident. In our research, only 10% of respondents report achieving a completely satisfactory conclusion of the incident.

Consequently many respondents are at risk for further theft or errors in healthcare records that could jeopardize medical treatments and diagnosis. Those who resolved the crime spent on average more than 200 hours on such activities as working with their insurer or healthcare provider to make sure their personal medical credentials are secured and can no longer be used by an imposter and verifying their personal health information, medical invoices and claims and electronic health records are accurate."

Those people affected by the UCLA Health System data breach will be notified by regular mail by UCLA with an explanation of their options. Here is a link to a press release by UCLA which describes the data breach and provides information about how to enroll in the free credit monitoring program.

With the health care industry accounting for 42.5% of all data breaches over the last three years, considerably more than any other sector of the economy, according to the Identity Theft Resource Center and 91% of all health care organizations reporting at least one data breach over the last two years, the question for consumers seems to be less how do we prevent ourselves from becoming a victim of medical identity theft and more what can we do to limit the damage?

One of the first things we can start off by doing is limiting the amount of personal information that we give to our health care providers. A person's Social Security number is a key to identity theft. Armed with this single piece of information an identity thief can steal your identity and make your life miserable. Health care providers routinely ask for your Social Security number although they generally have no need to have it. Respectfully demur when asked for your Social Security number and give the health care provider some other personal identifier, such as your driver's license number if needed.

A second thing to do to help you catch any problems early is to read your Explanation of Benefits that you get from your health insurer carefully. Many of us get confused by these documents that detail our use of our health insurance, but are generally written in code and jargon that does not clearly explain anything. Consequently, many people merely look at the bottom right corner of the document to see if any payment is required and if one is not, don't bother to try and comprehend the document. Unfortunately, if you do not carefully peruse your Explanation of Benefits, you may miss charges or use of your insurance by an identity thief.

Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.