One of the most interesting things that came out of the recent medical identity theft webinar was Larry Ponemon's presentation. He talked about the findings of a recent survey on medical identity theft. Ponemon pointed out that this is the first study on medical identity theft in US to determine the scope, magnitude; root causes, detection, consequences, and steps that have helped resolve medical identity theft.
- Some statistics that he shared:
- 9% of the respondents to the survey were a victim or personally knew a victim
- 6% of those were cases of medical identity theft
- 29% reported wrong information in their medical record
- 46% did not file a police report
- 9% reported that their problem was resolved
As you might expect, most people (75%) feel that the responsibility for protecting medical information belongs to the medical industry. But when four out of five hospitals admitted to compromise affecting at least one patient, the public perception seems to be that the job is not getting done.
The Impact of Legislation
The recent Health Care bill that caused such a ruckus in Washington, DC has to rely heavily on government oversight. They will need to see your financial records to know how much you can pay. This will include your work record, your credit record, your bank records, etc. And they will need to see your medical records to make sure you're getting the right treatments, the right medications are being prescribed, to cut down on duplication of tests, and so on.
The bill was rushed through the House of Representatives, like the ARRA, so it was surrounded by a lot of controversy. The oversight structure is highly bureaucratic and complex, massive authority was put in the hands of non-elected officials, and the Executive Branch has a history of mismanaging programs that were started with the noblest of intentions. Oddly enough, there wasn't a lot of press on the privacy issues that will naturally surround government oversight. Maybe the press didn't find it as newsworthy, or maybe the subject just didn't come up.
A Push Towards Privacy
Deven Mcgraw is the Director of the Health Privacy Project, and is deeply involved in finding solutions to the privacy/technology tug of war. She knows that without proper safeguards in place, the "use of technology is magnifying the risks of medical identity theft." And while the National Health Information Network (NHIN) has not finalized a set of standards for data security in medical records, the recent upgrade to HIPAA and the Red Flags Rule are steps in the right direction.
The Vice President of IT at Mount Sinai Medical Center, Paul Contino, made the issue very clear from the medical provider viewpoint. With medical identity theft hospitals and doctors have more to worry about than just protecting our information. These represent specialized businesses that are vulnerable to all the problems a business faces with identity theft (loss of goods and services, loss of reputation, loss of clients, etc.) as well. When a hospital sees a 112% rise in medical identity theft from 2008 to 2009, it can impact the quality of care their patients get.
To help protect patient information Mount Sinai issues their patients a "Health Card" for identification. This card has a photo of the patient and their name clearly visible on the front of the card. It also has a smart chip embedded on the card that provides "demographics" and a bar code for registration. In turn, the barcode provides a medical record number and identity verification when the patient checks in. This is similar to biometric identification – it can provide a positive identification but doesn't protect the medical record from data breach.
And this is Contino's biggest concern. In his own words:
The planned quick release of health data exchange will set large sets of data online, and dramatically increase the security and privacy risks. This doesn't make our healthcare system better. Without adequate safeguards and security, it may make a problem much worse far more quickly.
Another aspect of medical identity theft is that some people "volunteer" to be victims. Well-meaning family members have been known to give their insurance information to a relative to take care of a medical condition they could not otherwise afford. This leads to false information in their medical record that is seldom removed. It also explains why almost half of medical identity theft victims filed no police report, which is a required document to resolve any identity theft.
Volunteering to be an identity theft victim is not limited to medical cases, either. Letting someone use your name to get utilities for a cell phone are probably the most common forms of volunteering, but the results are the same – a damaged credit report and an identity theft that you can't resolve without reporting it to the police and getting your friend in trouble, when all you intended was to help them out.
In the end the message is the same: protect your personal information, don't give it to friends, watch your credit report, your Explanation of Benefits from your insurance company, your driving record, check with the local police regularly to find out if you're wanted for anything, read your Social Security statement if you get one, shredding everything with your information on it and watch the news for data breaches that may affect you.