February 17, 2015

9 Surprising Facts about Medical Identity Theft

Security experts warn that cyber criminals are increasingly targeting the healthcare industry. There is so much information of value available, and it’s often not that difficult to steal.

Here are 9 surprising facts about medical identity theft.

  1. Worth. A piece of medical information costs 10 times more than credit card information on the black market, according to a Thomson Reuters story. Health credentials such as policy numbers and billing information sell for up to $10 each, which is 10 to 20 times more than what credit card numbers get.
  2. Numbers. The healthcare industry accounted for 42% of major recent data breaches reported in 2014, according to the Identity Theft Resource Center.
  3. Cost. Healthcare had the highest per capita data breach cost of all sectors, according to the 2014 Cost of Data Breach Study: Global Analysis. The cost for healthcare organizations was $359 per data breach compared to the overall mean of $145.
  4. Cyber attacks. According to Ponemon, the percentage of healthcare organizations that have reported a criminal cyber attack rose to 40% in 2013 from 20% in 2009. Community Health Systems with 206 hospitals in 29 states was one of the largest data breaches 2014, compromising 4.5 million patients. Protecting patient privacy is key.
  5. Surprising sources. Another reason medical identity theft occurs is people let family and friends use their personal identification. In Ponemon’s 2013 Survey on Medical Identity Theft, 30% of respondents allowed a family member to use their ID to get treatment, healthcare products, or pharmaceuticals. Not only is this illegal, it can create inaccuracies in medical records – and treatment mistakes in the future. Healthcare organizations and governments are urged to improve authentication procedures to guard against impostors.
  6. Equipment. Many healthcare organizations have ill-equipped computers. To improve cyber security, the FCC recommends the latest security software, Web browser and operating system including antivirus software, firewall security, secured Wi-Fi networks, unique passwords, and multi-factor authentication.
  7. Non-compliance costs. A lost laptop cost Concentra Health Services $1,725,220 in non-compliance fines for violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. This year, there will be random audits to assess compliance with the privacy, security and breach notification laws/rules.
  8. Conversion trends. The 2015 Second Annual Data Breach Industry Forecast by Experian warns that the trend to convert paper medical records to digital is growing the computerized healthcare system by millions. The increased playing field (for cyber criminals) also increases the risk for cyber attacks and data breaches.
  9. Wearable devices. Devices that a person wears to measure heart rate, calories expended and steps taken, for example, also increase the amount of Personal Health Information (PHI) that is at risk for being stolen. What can help? Implement a total security culture including an information security policy, regular employee training, controlled access to confidential information, and secure document management.

Secure document destruction is also an important information security best practice in a medical workplace. This security checklist shows what kinds of paper and electronic documents must be securely destroyed when no longer needed.