- BlogInfoSec.com - https://www.bloginfosec.com -

Medical Identity Theft … Where Have You Been, WSJ?

The Wall Street Journal published a front-page article “The Doctor Bill from Identity Thieves” by Stephanie Armour on August 8, 2015 as if medical identity theft is a new issue. It isn’t. My colleague Allan Pomerantz wrote a BlogInfoSec column on the subject more than seven years ago … see http://www.bloginfosec.com/2008/06/19/medical-identity-theft-your-money-or-your-life/ [1] The annual Ponemon study on medical identity theft, which Armour cites, is in its fifth year … see http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf [2] So medical identity theft is by no means a new issue, just one that has been ignored.

Allan raised may of the critical issues described in the WSJ article and added that medical identity theft is underreported. He was right, and still is. If it has taken all this time for the matter to appear on the front page of a major newspaper, then the subject has certainly not received the attention it warrants. Seven years of lost time is huge in the cybersecurity arena where events typically occur in milliseconds.

And the health industry appears to have done little to alleviate the problem. I recently advised someone to request that their health insurance company change the patient’s insurance coverage number following the Anthem breach and in response to clear evidence that stolen identities were being used for various nefarious purposes. The insurance-company employee responded that there wasn’t any way in which they could make the change … and, besides, no one else had requested such a change before. Of course, that is a ridiculous response. When you are aware that a payment card has been lost, stolen or otherwise compromised, financial institutions are quick to issue a new card and cancel the old card to limit their own losses. It would appear that, in the health-services industry, the burden is firmly on the insured. Perhaps the losses to the health industry itself are not particularly significant. And furthermore, some health-services providers may be actually benefitting from such fraud. After all, they do not appear to be liable if someone comes in for medical services using a valid health-insurance ID.

As Allan’s column and the WSJ article point out, the consequences of medical identity theft can be far greater in terms of physical safety than the losses incurred in financial fraud. The fact that HIPAA might actually work against resolving the issues and not protect valid insured individuals from the impact of medical identity theft is unconscionable. The WSJ article lists six consequences ranging from having all one’s benefits stolen and having valid claims denied through loss of insurance, unjustified out-of-pocket payments, cost of fixing credit reports and resulting lowering of credit scores, to being unable to access one’s own health records because HIPAA protects the health information of identity thieves that are co-mingled with victims’ records. It should be noted, however, that in an August 14, 2015 Letter to the Editor “Don’t Blame the Poor Victims of Medical Identity Thefts,” Jennifer Comerford claims that the article’s assertion that medical ID thieves are protected by medical-privacy laws is in fact not the case. Comerford states that “All individuals should be aware that they have the right to appeal refusal of access to their medical records.” If this is indeed true, we are being misled big time by those who claim otherwise.

I’m glad that Allan’s issues are at last making it to mainstream media. Perhaps legislators will recognize the failing in their laws and correct them, even if it means that a qualified third party (not insurance companies) is given the right to review the claims records and determine which of them are fraudulent. If a parallel law to the Fair Credit Reporting Act, which pertains to financial institutions were established, namely, that the victims have very limited liability (say $50) and that it is up to the vendor (bank or insurance company or health services provider) to either eat the losses or go after the thief, I’m sure that we would see a significant drop in this type of criminal activity.

We must not forget, however, that (differently from U.S. financial institutions) insurance companies are regulated by States rather than the Federal government. This makes the task more challenging but no less worthy. It’s time to eliminate this insidious crime that not only causes financial damage but can lead to physical harm or worse.