I recently saw a somewhat startling statement — to the scammer a stole medical "identity" can be 50 times more valuable than any other kind of stolen identity. Personal health information is valuable. Depending on what's included, each record can be worth between $2 and $50 on the black market, compared with 50 cents to $1 per record for credit card information.
A medical identity thief can use, or sell on the open market, your medical identity — your name and health insurance numbers — in order to get treated at a hospital or emergency room, to see a doctor, to get prescription drugs, to file their health claims with your insurance provider, or generally to get healthcare without paying for it by getting your insurer — whether Medicare or a private insurer — to pay for it.
We previously noted here some of the results on medical identity theft. We detailed the story of the woman who opened her door to find the police and child services investigators there to arrest her and seize her newborn who had tested positive for a drug addiction. The woman's youngest child was six.
We talked about one woman who went to her local hospital's billing department to argue about the bill she received for the amputation of one of her legs. She pointed down and essentially said, "See, they're both there."
Or the man who was prescribed physical therapy for an injured knee and when he went to the therapist he was told his insurer had denied him coverage because he had already used up his PT allotment for the year. He, as you might have guessed, had not been to a physical therapist in a number of years.
Or the teenager who was embarrassingly turned away from a high school blood drive because her Social Security number had been used by a patient at a free AIDS clinic.
All, of course, were victims of medical identity theft.
Health information can be stolen one ID at a time by a healthcare worker or because of the careless maintenance of records in a medical practice, even down to what's on a sign-in sheet at the front desk. Or it can be lost due to a data breach — by a hacker — or again from the careless handling of patient databases.
The Federal Trade Commission and the U.S. Department of Health and Human Services because concerned in 2009 that large scale healthcare data loses were occurring. So a requirement was imposed that all healthcare record breaches affecting 500 or more people must be reported to those people covered and to HHS where they are posted on the HHS website.
The industry responded by establishing the Health Information Trust Alliance (HITRUST) to better educate the industry and to act as a clearinghouse for data on major breaches.
Data compiled by HITRUST provides a little good news/bad news scenario.
The data reveals that since 2009 (through late last year — government statistics tend to lag) the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. The good news is that hospitals and health systems seem to be getting the message about better information security because this group has experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011). Health plans have also seen a steady decline in breaches since 2009 and have not had to post one since the first quarter of 2012.
The bad news is that overall the healthcare industry's susceptibility to certain types of breaches is largely unchanged. While there has been a decline in large breaches — those affecting 500 personas or more — the number of smaller thefts and breaches continue to grow and now number the tens of thousands each year, as the reported numbers of cases where stolen medical identities are being used also continue to grow.
But large breaches still occur. Just this past week the University of Florida sent out letters to 14,339 patients of UF & Shands Family Medicine saying that they may be the victims of identity theft following the arrest of an employee who appears to be part of an identity theft ring.
In my next blog I will give some tips on how to safeguard your medical records, how to detect if you might be a victim of medical identity theft and lastly how you can recover from medical identity theft.