Medical Identity Theft: How Healthcare Data Breaches Turn Patients into Victims

This is part 2 of a 4-part series on medical identity theft. Be sure to read Parts One, Three and Four.

Passengers on the London Underground are told to “mind the gap,” a warning to watch for the space between the train door and station platform. Healthcare organizations need to mind their own privacy and security gaps when it comes to protecting sensitive medical information.

According to the latest Gemalto’s Breach Level Index, the healthcare sector had the most data breaches in the first half of 2015, accounting for 21 percent of total incidents across all industries. Healthcare also had the largest number of records breached, at 84.4 million records, or 34 percent. The nature of these gaps has changed over the years—for instance, criminal attacks are now the leading cause of healthcare data breaches, according to Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data.

In the first part of this four-part series, we looked at the impact of medical identity theft on its victims. In this article, we’ll examine how healthcare data breaches, particularly those caused by the criminal element, have caused medical identity theft to nearly double in five years.

Download: Criminal attacks are now leading cause of healthcare breaches

The Link Between Data Breach and Medical Identity Theft

According to the Wall Street Journal, medical identity theft is on the rise because of the “surge” in electronic health records and healthcare data breaches. But it’s more than the digitization of health records. Medical data is everywhere, thanks to a plethora of devices, from tablet computers to medical implants and even Fitbits and Apple watches that are recording health data and transmitting it over the Internet.

Rick Kam, co-founder of ID Experts, told Forbes that healthcare data breaches are also on the rise because financial services and retail sectors have developed better strategies for protecting their data. This includes the use of EMV cards that use a chip instead of a magnetic stripe. As a result, many hackers are turning to the more vulnerable healthcare industry.

In addition, he said, medical information is simply more profitable on the black market. The Dark Web offers cyber-criminals multiple global marketplaces in which to sell stolen personal information, including healthcare records. According to the FBI, healthcare records can fetch up to $60 to $70, as opposed to about five dollars for credit cards.

“This is all converging to create a perfect storm for getting this data,” Rick Kam said in the Forbes article. “It’s more available, it’s worth more, and the healthcare organizations aren’t as good at protecting the data because they haven’t had to be.”

As Dr. Shantanu Agrawal, director of the Center for Program Integrity at the Centers for Medicare and Medicaid Services, told the Journal, “Data breaches are increasing and becoming more common. You can end up with diagnoses being placed in your file without your knowledge.”

Smart, Strategic Data Protection

To protect patients against the harms of medical identity theft, the healthcare sector must step up its data protection measures. While there is no such thing as zero risk in today’s connected, digitized world, health plans, hospitals and other entities that hold medical information can mount a strategic defense against cyber criminals.

For instance, in a MedPage Today interview earlier this year, Dwayne Melancon, chief technology officer with Tripwire, recommends following the example of financial institutions that classify and segregate their data. “You…have to have good segregation of data,” he says, “where you make sure that only a select group of people can access sensitive data, that there are lots of controls around it, and make it more difficult for people to casually browse data and take it.”

Melancon also cautions healthcare organizations to spend their security dollars wisely. “Just because it’s a dollar spent on security doesn’t mean it’s worth spending,” he says. “All of this should be aligned within a good risk framework to make sure that people really are spending in a way that increases security, and doesn’t just add window dressing.”

In other words, they must mind the gap.

Download: Criminal attacks are now leading cause of healthcare breaches

Next in this series, we’ll discuss the growing problem of healthcare fraud.