RSA: Identity Theft Challenges for Healthcare

The phenomenon of medical identity theft is on the rise, and healthcare companies face more challenges in addressing the issue than their counterparts in the financial services industry, a panel of experts agreed Thursday at the RSA 2010 conference in San Francisco.

The Federal Trade Commission estimates the number of American patients victimized by medical ID theft each year at 250,000, and research firm Javelin Group recently reported that while the number of incidents is relatively low in comparison with financial identity theft, the financial impact of medical IT thefts is much higher because of the astronomical costs of medical care.

Ryan Brewer, chief information security officer for the Centers for Medicare & Medicaid Services (CMS), said the financial industry has done a good job of dealing with this, in part by sending the all-too-familiar letters alerting customers of suspected data breaches and re-issuing affected credit cards. Such simple actions won’t work for healthcare firms, Brewer said. “How often have you gotten a letter from a healthcare provider saying, ‘We had some data stolen, and we’re issuing you a new blood type’?” he asked.

One of the primary encouragements for ID thieves is the healthcare industry’s wasteful habits, said David Young of Geisinger Health System, a four-hospital network in Pennsylvania. Young noted that 18 cents of every dollar spent in the U.S. is spent on healthcare, and that half of those 18 cents can be traced to waste. “The fraudsters are seeing a goldmine in the healthcare industry,” he said. Plus, he said, they can justify it as a victimless crime. “It’s not so much the patients’ money as it is a third-party payer, like an insurance company.”

But make no mistake: patients’ are frequently directly affected, too. Brewer says a common scam among fraudsters is to create a dummy Web site that looks just like a CMS site, then lure unsuspecting people there with emails promising bargain-basement medication prices.

All of the panelists concurred that medical identity theft is likely to get worse until federal agencies commit more resources to helping battle it. Maybe this will spur them to action: Young says he’s even seeing cases where hackers accesses athletes’ injury records and then sell that information to bookies looking for any edge they can get on the wagers they cover.

Back to CIO Insight