Medical Identity Theft Becoming Lucrative Cyber Crime

By Shawn Dougherty  |  September 15, 2014

The big data breaches in the news today often focus on the theft of personally identifiable information (PII), such as names, addresses, and credit card numbers. But it’s another kind of confidential data, protected health information (PHI), including medical records and health insurance numbers, that’s quickly becoming the target of choice for cyber criminals.

Just think about what health insurance pays for today. Doctor visits, prescription drugs, surgeries, and medical devices are the basics and can quickly add up as part of medical identity fraud. Those hackers that don’t want to commit fraud can still reap the rewards. A complete medical identity can be worth about $50 on the black market. Now, multiply that by the millions of records stored by hospitals across the country, and you can easily see how one successful hack can lead to a major payday for cyber criminals.

Last month, Community Health Systems, a healthcare company that operates more than 200 hospitals across the country, said in an SEC filing that 4.5 million of its patients were affected by a cyber attack during the spring. In the filing, the company said the attackers obtained the names, addresses, and Social Security numbers of patients, not their medical records. But the news has been a reminder that in today’s connected world, patient data is at greater risk than ever before.

A study last year by the Ponemon Institute found that the number of victims affected by medical identity theft had grown nearly 20 percent over the year. At the same time, half of those surveyed didn’t know that medical identity theft can create permanent damage to their medical records. The medical identity theft victims surveyed experienced misdiagnosis (15 percent of respondents), mistreatment (13 percent), delay in treatment (14 percent), or were prescribed the wrong medication (11 percent).

So, what can you do to protect your medical identity? As in most cases, the best protection is vigilance. When you receive an Explanation of Benefits (EOB) from your insurance company, check to make sure it includes only the physicians you’ve seen. When you finish reviewing the document, shred it or keep it in a secure place (old-fashioned data theft is still alive and well). And if you’re asked for your medical or insurance information, give it only to a healthcare provider you trust.

Hospitals also need to be vigilant and ensure they have the right people and systems in place to keep patient information secure. In the event they suffer a breach, they need an emergency plan to investigate the incident and notify affected patients as well as the financial resources to pay for it. How much would that all cost? That’s a good question.

But in case you’re wondering, Community Health Systems told the SEC that it had cyber insurance and didn’t expect the incident to hurt its business significantly.

To learn about ISO’s various cyber offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.