Medical identity theft jumped 22 percent last year as more U.S. health data becomes electronic and easier for cyber criminals to steal from doctors’ offices, hospitals and insurers.
Incidents of medical identity theft in 2014 saw almost 500,000 people fall victim to sham companies committing insurance fraud, or impostors seeking free medical care, according to a report released this week by the Ponemon Institute, a Traverse City, Michigan-based data-privacy research firm.
Resolving such incidents of fraud cost victims an average of $13,500 in expenses, such as paying medical bills racked up in their name or legal fees, the report found. In 19 percent of cases, the victims said erroneous information added to their medical records by an impostor, like a positive drug test, cost them career opportunities.
The numbers are expected to continue rising this year as health-care hacking persists, said Ann Patterson, a senior vice president for the Medical Identity Fraud Alliance, which sponsored the report. Already this year, as many as 80 million customers of health insurer Anthem Inc. had their personal data stolen. Medical data has become a popular target for criminals as it can sell for more than 10 times as much as financial data on the black market, security analysts say.
“I feel like criminals are going to increasingly target the health-care sector where there is just data left and right for them,” said Patterson. “I don’t know for sure that that increase will correlate to a rise in medical identity fraud, but it does seem to make sense.”
Patterson said her group started seeing a big jump in medical identity theft cases after 2012 as electronic medical records became more common.
In about half of medical identity theft cases, a person’s information is bought for around $50 to $100 by someone without insurance to get medical care or medications, Patterson said. The impostor shows up at a hospital or doctor’s office pretending to be the victim. They supply the stolen date of birth, address and insurance ID or social security number, which in most cases is enough information to get treated.
The bill for the care is sent to the insurer, and the victim is left on the hook for any co-payments, deductibles or services not covered. The care the impostor received can also show up in the victim’s medical records.
In the other half of cases, criminals set up a fraudulent company and bill the insurer for services never provided to the person who’s identity they stole. For example, criminals will buy the identities of seniors in a certain geography who have difficulty walking and bill Medicare in their name for motorize scooters that were never sold to them, Patterson said.
Unlike with financial-data theft, where the credit card company or bank picks up the tab and a new card is issued, medical identity theft can be much more costly and time consuming. It took an average of 200 hours to resolve a case, the study found. Health-care providers are also less savvy at fighting cyber criminals than retailers or banks since they haven’t been a target for as long.
“Health-care fraud can get very intricate and very sophisticated, they are smarter and one-step ahead of everyone else, it seems,” said Patterson. “The industry is aware of cyber threats and vulnerabilities but it is a little bit newer to them compared to retail or financial services.”