March 26, 2011, 9:36 PM — When most people think of identity theft, it's credit card transaction fraud or perhaps a criminal taking out a car loan or a mortgage in someone else's name. What doesn't always come to mind is someone stealing identity and medical credentials and then using those to obtain needed medical care, or selling those credentials on the underground market.
According to many industry experts, medical identity theft is on the rise because it is profitable, and the increasing use of electronic health records makes more data accessible. Additionally, Credit card numbers and other forms of financial data are losing their market value. "While credit card data will earn a few dollars on the black market, medical and medical insurance account information can sell for hundreds," says Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies.
Also see: Lessons of ChoicePoint, 6 Years Later
Also, explains, Higgins, while credit cards, banks, and financial services firms have systems highly tuned to spot fraudulent transactions, the same isn't true for health care services. "They're much less mature when it comes to their ability to spot fraudulent transactions," he says.
Jennifer Leuer, general manager of Experian's identification protection service ProtectMyID agrees. "The health care industry is much more fragmented, with dozens of providers potentially being part of a transaction," she says.
That's what makes incidents, like when managed health care services provider Health Net disclosed that 1.9 million customers were notified that server storage containing personal and health data went missing. The drives contained names, addresses, Social Security numbers, financial information and health data of current and former Health Net members, employees and health care providers, according to Health Net's statement on the incident.
Last week, the Ponemon Institute, sponsored by Experian ProtectMyID, released their second annual National Study on Medical Identity Theft. The study concluded that roughly 1.5 million Americans are victims of medical identity theft. And, according to the study, the average cost to resolve a case of medical identity theft is $20,663, up from $20,160 in 2010.
The study surveyed 1,672, and of those, 633 were known to have experienced identity theft directly or through the experience of a close family member.
The types of attacks that lead to medical identity theft are not unlike other types of identity theft: family member stole the credentials (36%), don't know the vector of the breach (17%), the breach was at a health care provider (14%), malicious employee at a health provider's office (10%), lost wallet (9%), mailed statement intercepted by criminal (8%), and phishing attack (6%).
Leuer believes that, unlike financial identity theft, medical identity theft is not on the top of peoples' minds. "When people lose their wallets, they'll think to replace their driver's license and they'll call their credit card companies but they won't think to report their health insurance card," she says. "Hopefully, we think, the increased mandatory reporting of health breaches will drive more needed awareness about medical ID theft," she says.
Earlier this month, the Federal Trade Commission released its annual consumer fraud report, and for 11 years straight identity theft topped the list of complaints with 9 million Americans falling victim every year.
When not hunting for his lost wallet, George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.
