I was speaking with a friend the other day about Medical Identity Theft, HIPAA compliance and enterprise fraud management. We were discussing a survey report published in March by the Ponemon Institute that found roughly 1.5 million Americans are victims of medical ID theft. In the survey, fourteen percent of respondents said the breach occurred at a health care office, and 10% said employees at a health care organization’s office had stolen the data.

 It occurred to me that medical identity theft is one of those “wild west” opportunities for identity thieves at the moment. While everyone is pretty familiar with the concept of financial fraud and what happens when your credit card information is stolen, what happens when someone pretends to be you to access medical care can have far more devastating consequences.

According to the Federal Bureau of Consumer Protection, here are some indications that might indicate that someone has been a victim of medical identity theft. Victims may:

• get a bill for medical services they didn’t receive;
• be contacted by a debt collector about medical debt they don’t owe;
• see medical collection notices on their credit report that they don’t recognize;
• be told by their health plan that they’ve reached their limit on benefits; or
• be denied insurance because their medical records show a condition they don’t have.

Source: http://business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-health-plan

Whoa—think about that for a moment. Those are significant impacts. Then, spin the scenario out a bit further. What happens if medical records become co-mingled at the provider level? Can you get to a point where the records of the thief are entered into the medical history of the victim? According to the experts, you can. Back in 2006, Pam Dixon, founder of the World Privacy Forum, referenced the challenges that medical identity theft can create and cited examples of misinformation appearing in patient files. She also stated that changes to patient records could remain in the files for many years.

Providers Protecting Privacy as Part of Their Healthcare Brand

Leading healthcare organizations are increasingly seeing ways to protect their brand while safeguarding patient privacy. Moving the privacy discussion beyond the HIPAA disclosure form that all of us sign when accessing care and making ePHI protection a differentiator demonstrates a commitment on the part of the provider. When given a choice, my healthcare dollars are spent with those institutions that care enough about me to protect my personal information. It just makes sense to require the same level of accountability from my doctor as I do from my bank—the risks are just as real and the opportunity for damage may even be greater.

It’s easy to point fingers when another organization has an insider fraud incident. But information from the new Survey on the Risk of Insider Fraud by Attachmate Corporation and Ponemon Instituteshows that more organizations need to turn a scrutinizing eye toward their own risk.

The survey encompassed more than 700 organizations and revealed some alarming data security trends:

• More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
• Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
• On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week – about 53 in a year’s time(infographic available). Twenty-four percent of respondents indicated that their organizations experienced more than 100 incidents in the past 12 months.
• Once an incident has occurred, it takes organizations an average of 89 days to discover it and an additional 96 days to uncover the root cause and determine the consequences to the organization.
• A majority of respondents – or 62 percent – were unable or unsure of their ability to assess the financial impact and true costs of fraud.
• Approximately two-thirds of internal fraud investigations do not result in actionable evidence against the perpetrators, meaning a majority of the incidents go unpunished and leave organizations vulnerable to additional incidents.

“This data demonstrates that employee actions across an enterprise are not visible,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “While organizations may have policies in place that are meant to curtail insider fraud, what’s on paper doesn’t necessarily lead to compliance.”

In fact, 52 percent of respondents noted that they do not believe they have the appropriate technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT resources. Traditionally, IT departments review log files to analyze employee activity. However, 78 percent of respondents believe the manual review of log files is an inadequate method for observing questionable or suspicious employee access and computing activities.