What’s behind the dramatic rise in medical identity theft?

October 24, 2014

by   OCTOBER 19, 2014, 11:44 AM EDT

A decentralized U.S. health system, increasing digitization of records, and demand in the black market are fueling a surge in thefts.

An elderly man went to the emergency room after injuring his back. When he got there, the doctor noticed that he also had an infection. He offered the elderly man penicillin, the same medication he received during his last visit to the ER.

The elderly man was confused. This was his first visit to the ER, and he was allergic to penicillin. Why would his records say otherwise?

It soon became clear that someone else had used the elderly man’s health insurance card at the ER to obtain penicillin and a host of other medications. At some point, the elderly man had misplaced his card; after reporting it lost, his insurance company had sent him a replacement with the same number.

This was just one of several harrowing anonymous stories told to the authors of a report by the Medical Identity Fraud Alliance called “The Growing Threat of Medical Identity Fraud: A Call to Action.” In the last five years, the number of data breaches in the medical sector has quadrupled. Last year, for the first time, the medical sector experienced more breaches than any other. It’s again on track to lead in 2014, according to the ID Theft Center. While the health care industry has long suffered fraud by providers or employees fraudulently billing insurers, Medicare, or Medicaid, the medical industry is only just now trying to catch up to the quickly growing threat from hackers.

With the increasing digitization of health information (in the form of electronic health records) and the formation of health exchanges (due to the Affordable Care Act), the trend in medical identity theft is unlikely to abate any time soon. Personal medical information is useful to many different types of criminals, which is why it fetches a higher price on the black market than financial information. The sheer number of targets also makes the medical sector easy prey. Furthermore, technology has come relatively late to the health industry, and data security at health organizations can lag behind. The digitization that accompanies the Affordable Care Act may initially cause a surge in the number of breaches, but some analysts believe it could eventually reduce demand for medical information.

Read more…

After HIPAA Omnibus, Breach Tally Spikes

October 20, 2014

Huge Increase in Incidents Under New Notification Guidance

By , September 23, 2014. Follow Marianne @HealthInfoSec

In the year since federal regulators began enforcing the HIPAA Omnibus Rule, there’s been a significant spike in the number of major breaches posted on the Department of Health and Human Service’s “wall of shame” tally of incidents affecting 500 or more individuals.

Since HIPAA Omnibus enforcement began last September, the tally has grown by a whopping 67 percent to include 1,126 major incidents, up from 674. The number of individuals affected grew from a total of about 27 million individuals as of late September 2013 to about 38.7 million as of this week, a 43 percent increase (see Wall of Shame: Four Years Later).

Experts say a number of factors contributed to the spike in reported incidents. In addition to the growing mindfulness of HIPAA compliance requirements among many covered entities and business associates – and ramped up regulatory enforcement activities – a significant factor is the HIPAA Omnibus Rule’s much more detailed breach notification guidance. In a nutshell, security incidents are now presumed to be reportable unless healthcare organizations demonstrate through the four-factor assessment that risks are low.

Read more…

Community Health Systems faces data-breach class action

October 15, 2014

By Darius Tahir 

Posted: October 13, 2014 – 2:30 pm ET

Community Health Systems, the 207-hospital, 29-state operator, is facing a class-action lawsuit brought by a New Mexico woman, Briana Brito, over a data breach it reported Aug. 18.

The suit, filed in the 4th Judicial District Court in San Miguel County in New Mexico, is being handled by law firms Slack & Davis and the Branch Law Firm, which are meeting with additional potential class representatives in Las Vegas, N.M., on Oct. 15, and have fielded inquiries from other patients based in six other states interested in joining the lawsuit, Slack & Davis attorney Paula Knippa said in an interview.

Brito and her family contend in the suit (PDF) that they were treated at Alta Vista Regional Hospital, Las Vegas, N.M., at the time the breach took place. “As a result of defendants’ failure to implement and follow basic security procedures, plaintiff’s sensitive information is now in the hand of thieves,” according to the suit. The suit does not ask for a specific dollar amount in damages, but instead calls on a jury to determine that at trial.

A CHS spokeswoman declined to comment on the lawsuit, per company policy on pending lawsuits. Opposing attorney Knippa expects a formal response to be filed to his complaint by the end of the month.

The breach was a massive one: 4.5 million patient records were exposed, making it the second largest in HHS’ records, which date to 1997.

According to a CHS SEC filing describing the breach, the hack likely originated from China and focused on valuable non-clinical, non-medical data, such as “patient names, addresses, birthdates, telephone numbers and Social Security numbers.”

Hackers struck in April and June 2014. CHS offered identity theft protections to affected individuals.

CHS’ SEC filing anticipates the possibility of litigation, but does not expect it to have a material effect on its finances.

The law firms also are starting a national campaign, primarily on television, to alert potentially affected individuals about the data breach and potentially recruit them as clients as well.

The focus of the existing suit will likely be on Community Health Systems’ security procedures and the operator’s alleged tardiness in alerting patients about the dangers of the data breach, Knippa said.

“It’s uncertain at what point that information will be exploited. The problem is that personal information doesn’t change. The repercussions of this event could be felt for years,” she said.