While credit card breaches at retailers are grabbing headlines,
identity thieves are quietly homing in on an even more lucrative
area: health insurance and medical records.
More than 1.8 million people in the U.S. were victims of medical
identity theft in 2013, according to a survey by the Ponemon
Institute released in September. That's a 19 percent increase over
the previous year. "Medical identity theft is the fastest growing
component of ID theft," says Drew Smith, founder and CEO of
InfoArmor, a provider of business-to-business identity theft
The latest case involves the alleged theft by Chinese hackers of
4.5 million medical records from Community Health Systems, a
company that runs 206 hospitals in 29 states. Thieves stole records
including names, addresses, birth dates, telephone numbers and
Social Security numbers.
Like any type of identity theft, medical ID theft can damage
your credit and cost you hours of hassles trying to clear it up.
But it could also endanger your life if incorrect information
appears on your medical records.
Why the bull's-eye? Health information is easier to hack than
credit. In April, the FBI issued a private industry notification
warning to health care providers that their data networks are not
as robust as those in the financial and retail sectors, and "the
possibility of increased cyberintrusions is likely."
Safeguards are in the works, but the move to electronic records
and the health exchanges set up under the Affordable Care Act,
otherwise known as Obamacare, have opened new opportunities for
fraud, both online and off.
Experts say Americans can expect to see medical fraud heat up
again in the months before
open enrollment for 2015 government-subsidized
begins in November 2014.
Your medical ID: black market gold
Why would hackers bother with health insurance when they could get
a direct line to your pocketbook via credit cards or financial
accounts? "It's very lucrative," says Ann Patterson, senior vice
president and program director at the Medical Identity Fraud
Alliance. "Stolen protected health information can be monetized for
a much greater value than traditional financial account
A complete medical identity -- including name, address, phone
number, Social Security number, medical insurance information and
access to medical records -- is worth about $50 on the black
market, says Michael Bruemmer, vice president of Experian's Data
Breach Resolution group. "Without medical or insurance information,
that drops to about $10 for someone's stolen information."
Bruemmer's group helped resolve 1,000 health care client
breaches last year, including the largest breach of HIPAA, the
Health Insurance Portability and Accountability Act.
Medical identity theft usually happens on a large scale, with
hundreds or even thousands of identities stolen at one time. Once
hackers have a medical ID, they can use it to procure prescription
drugs or expensive medical equipment or simply to commit financial
fraud -- often for months or years before anyone notices.
Why? Partly because people don't pay much attention to their
medical or insurance records. While most of us wouldn't let a bank
or credit card statement go unread, we tend to ignore the
explanation of benefits (EOB) issued by our health insurance after
we have a doctor's appointment or medical procedure.
'Friendly' fraud common
More than half of all medical identity theft is what's known as
"friendly fraud" or "a victimless crime," according to the Ponemon
Institute study. A typical example: an uninsured sibling or friend
borrows your insurance card for a procedure, with or without your
In 2013, the Medical Identity Fraud Alliance interviewed 800
victims of medical fraud. When asked what they would do
differently, half said nothing. "Especially with the Robin Hood or
'victimless' crime, most people don't think there are
consequences," says Patterson. "They say it's no big
Yet there is no such thing as victimless medical identity theft.
"If your sister has allergies that you don't have or a different
blood type, her allergies and blood type are now comingled in your
records," Patterson says. If you're unconscious and need an
emergency transfusion or injection, that misinformation can kill
That kind of consequence comes, in equal measure, from both
friendly and malicious medical identity theft, yet we continue to
be lax about sharing our health information. "As a society, we just
look at health in a very different way than we look at our
finances," Patterson says.
Detecting medical fraud before it hurts you
Sometimes it takes a questionable medical bill to alert someone of
a compromised medical identity, but even that doesn't always do the
trick. Many people simply ignore such bills from their insurance
companies. By the time a red flag goes up, your insurance may have
been used to procure prescription drugs, black-market medical
equipment and emergency room visits.
The consequences can be expensive. The Ponemon Institute found
that 36 percent of medical ID theft victims pay to resolve the
issue, and their out-of-pocket costs average nearly $19,000. Even
if you don't end up paying out of pocket, such usage can wreak
havoc on both medical and credit records, and clearing that up is a
That's because medical records are scattered. Unlike personal
financial information, which is consolidated and protected by
credit bureaus, bits of your medical records end up in every
doctor's office and hospital you check into, every pharmacy that
fills a prescription and every facility that processes payments for
Bruemmer expects that will change soon, with more progressive
states raising the bar. "California, in particular, has the most
stringent standard for what constitutes a medical or health care
breach," he says. If an individual's username and password is
compromised on a health care portal there, the provider is required
to notify him or her within five days, Bruemmer says.
"I actually think that's the way the industry is going and there
will be more regulations across more states," Bruemmer
Compiling a composite identity for the big scam
One small breach of information here and there may not seem like
much, but each one could be adding up to something serious. "Five
years ago, most hackers were looking for Social Security numbers,
credit card numbers. They were going for the quick, easy fraud,"
says Smith. "Today, they're looking to steal someone's health
credentials, insurance information, credit card account passwords,
so they can continue to monetize victims' identities over a longer
period of time."
"Thieves are getting smart," Bruemmer agrees. "One organization
may take a username and password, another your credit information,
another your Social Security number. The last one may actually get
your medical records. What they're doing is amassing, in three or
four incidents over a period of time, the full identity
Bruemmer says, for example, that thieves often use hacked email
accounts to gain personal information. "People say, 'Oh, it's just
the username and password for my email account, I'll just change
that.' You'd be surprised how many people forget and let it go.
Then, all of a sudden, something really bad happens."
As with any organized crime, fraudsters jump from one channel to
the next, as each locks down. "In the financial world, they jumped
from hard checks to electronic to online banking, and now mobile
fraud," Patterson says. "Now they're jumping from traditional
financial channels into health care channels."
in 2013's big retail breaches, online medical fraud has become more
sophisticated in recent years. Yet old-fashioned huckstering is
alive and well. In July, the owner of NC Behavioral Health and
Counseling Services of Durham, North Carolina, was
for health care fraud, identity theft and 13 other criminal charges
after submitting bogus claims for at least 56 clients. Court
records allege that instead of covering medical services for the
patients, the owner spent the $1 million she received from Medicaid
on a Cadillac Esplanade, a Mercedes and a swimming pool.
New fraud opportunities courtesy of Obamacare
Obamacare and the expansion of Medicaid have opened up a
whole new stream of opportunities for fraudsters, experts say. In
June, a backpack was discovered on a street in Hartford,
Connecticut, near the Access Health CT exchange. Inside were four
notepads containing the Social Security numbers of 151 people
enrolled in Connecticut's Obamacare exchange.
"There are so many opportunities out there to defraud people,"
says Dennis Jay, executive director of the Coalition Against
Insurance Fraud. "You're dealing with populations that are new to
insurance and don't understand the dangers of selling a Medicaid
number or sharing a health ID number."
Just before the rollout of Obamacare, roving gangs began
knocking on doors in lower-income neighborhoods, requesting health
information they said was needed to expedite the new health plans.
"People gave it out," Jay says. He expects that kind of fraud to
pick up as the open enrollment period for 2015 coverage through the
health insurance exchanges nears.
The expansion of Medicaid accompanying Obamacare has led to
similar door-to-door solicitations, he says. "The Medicaid
expansion also concerns us because there are roving gangs that will
pay you to share the numbers with them," Jay says. "Once
[fraudsters] have those numbers, they know they're golden. A lot of
Medicaid systems won't detect it for many months and there could be
tens of thousands or even tens of millions gone before that
It's too early to measure the impact of the health exchanges set
up under Obamacare and the sharing of health records online. "We
haven't even seen how secure those sites are," Smith says. "But
given the problems they've had, it would be surprising if we don't
see identity theft bump up over the next couple years because
information has been compromised."
What you can do to keep your medical identity
Be vigilant about your personal information
. Shred all documents with any kind of sensitive information and
change your passwords on a regular basis. "Don't use the same
password on multiple platforms," Bruemmer advises, "particularly
health care platforms, financial institutions, government
Don't share health information with solicitors or
. Steer clear of links in emails that request that information
online. Don't give out your information over the phone to someone
claiming, for example, to represent your insurance company. Don't
give it to anyone who appears at the door, either. A common scam
now, according to Jay, is to knock on doors asking for medical
information to renew an Obamacare policy.
Avoid sharing sensitive information.
Even health care providers sometimes over-reach. Many automatically
ask for your Social Security number. "In many cases, they don't
need it but it's the default question," Bruemmer says. "As rule of
thumb, don't share anything of a personal nature with a health care
provider that you wouldn't consider sharing with your
Read that EOB, preferably via email.
An Explanation of Benefits from your insurance provider is not
exactly easy reading, but it's worth more than a scan -- and the
sooner, the better. "I encourage people to get their explanation of
benefits via email," Smith says. "They come through much faster,
instead of getting lost in the mail. Anything you can do to monitor
your EOB is a great start."
Move quickly on breach notifications
. If you get a letter from a health care provider saying your
health care information has been exposed, read it carefully and
follow the instructions immediately. Such letters usually offer
helpful tips on how to protect yourself and take advantage of free
Check credit reports and medical records
You can access each of your credit reports from the three major
credit bureaus for no cost once a year at
. Evidence of medical identity theft often shows up there in the
form of unpaid medical bills. You also have the right to review
your medical records. Any time you have a medical procedure or
visit a new physician, you should request and review a copy of your
Familiar fraud: When family and friends steal your
Study: Data breaches pose a greater risk
Data breach protection: 10 tips