Sage Advice - Cybersecurity Blog

Medical Identity Theft: Tips for Detection, Correction, and Protection

medical-identity-theftIf you’ve been the victim of identity theft, you’re not alone. In the past five years, we’ve seen healthcare data breaches grow in both size and frequency, with the largest breaches impacting as many as 80 million people. One in four US consumers had their healthcare data stolen in 2017, and 50% of breaches resulted in medical identity theft. Victims paid an average of $2,500 out-of-pocket costs per incident (Accenture).

There are many reasons why healthcare organizations are a favorite target for hackers, and a data breach has the potential to impact us all.  We’re all patients – and therefore we’re all at risk of having our medical identities stolen. Here are some tips for how to detect if you’re a victim of medical identity theft, steps you can take to correct any issues, and ways that you can protect your medical identity and prevent future incidents.

Detecting medical identity theft.

The first step is to look for signs of compromise. Read the Explanation of Benefits (EOB) statement that comes from every provider or insurance company you have. Read the Medicare summary. Check the name of the service provider and the date of service. Make sure the claims match the care you received. It’s imperative that you pay attention to all these things.

A little bit more time spent reviewing your records can save you a whole lot of pain. Pay attention to the signs. Did you receive bills for services you didn’t get? Are you getting calls from debt collectors or are there medical collection notices showing up on your credit report? Are you being denied insurance for a condition you don’t have?

These are real things happening to people every single day and they are increasing.

It’s important to know your rights. You have an accounting of disclosures that's due to you by law every 12 months from every healthcare provider. You can also request it. It includes what information was sent, where it was sent, when it was sent, and why it was sent. We all sign the HIPAA privacy notice that describes how medical organizations are going to share our data. Be sure you read it and understand where your data lives.

Correcting the damage.

If you spot a discrepancy, get on top of it as fast as you can. File a police report early. Write providers to request correction(s), and include any official documents, including the police or identity theft report. Explain any inaccuracies, and include any documents with supporting evidence. Ask for deletion of inaccurate records. Keep all original copies.

It’s also important that you check your state privacy laws to determine the cost, if any, of record requests. Generally speaking, the cost is low. Requesting records might be just $1 or as much as $10. If you're in process of cleaning up your medical records though, this cost is negligible.

If you don't get what you requested, you can complain to the US Department of Health and Human Services Office for Civil Rights. They will follow up on your complaints and hopefully move your case along.

Protecting your medical information.

So, how do we protect our medical information? First and foremost, do not share your medical or insurance information with anyone. If someone calls or emails you asking for this information, be sure they are who they claim they are. Did you initiate contact with this particular source? If not, we recommend asking, “Can I call you back?” This is a great control against fraud because it usually ends a fraudulent attack pretty quickly.

If someone does provide you with a number, you can determine if they are a legitimate organization by putting the number into a Google search. If the number comes up associated with the organization, they are legitimate. If the number search returns a long list of links offering to “find out who owns this number,” then you know you’re in a fraud situation, and you just avoided a nightmare.

Another way to protect your information is to read website privacy policies so you can understand where organizations are going to send and share your information. Also, be wary of offers for free health services and products or if you are contacted in regards to a recent breach. Finally, regularly pull and review your credit report from all three bureaus. Go through them and make sure there's nothing anomalous.

Remember the faster you respond, the quicker you can do a cleanup, and the less it's going to impact you in very serious ways.   

Establishing preventative and protective controls.

Here are some basic preventative and protective controls that you should consider to reduce the risk that your medical identity will be stolen.

#1. Password security.

You should have strong passwords for all your accounts. You could use a standard complexity model, which is a minimum of eight characters and include uppercase letters, lowercase letters, numbers, and special characters. Or you can follow new guidance that recommends using four unrelated words or phrases that has at least 15 characters.

You should always use unique passwords for each site where sensitive information is stored or transactions are exchanged. Also, consider using a password manager, like Dashlane or Last Pass, and be sure to turn on multi-factor authentication. Never share your passwords, and be sure to change them at least annually.

#2. Control network and computer access.

Consider segmenting your network, so that kids' and guests’ devices and computers are on a different wireless network from the computer you use to access your secure accounts. Or simply restrict access to the computer you use to access banking and healthcare functions and information. You should also implement parental controls and monitor use. 

#3. Change default settings.

For all IoT (Internet of Things) devices, such as routers, weather stations, smart appliance, baby monitors, security cameras, etc., you should change the administrator username and password, along with the device / network (SSID) name. There are databases of these defaults for every manufacturer of every device out there available for the bad guys to get, so make sure you change them.

#4. Perform regular updates and patches for all devices and software.

You should select automatic updates if available. If not, get in the habit of checking for updates. Most devices and software have built-in updating links or menu items.

#5. Use the personal firewall built-in to Windows computers.

If you have a Mac, you can purchase separately. 

#6. Use anti-malware software. 

Be sure to set it to update as often as it is possible.

More Resources

If you want to learn more about medical theft, here are a few resources you can check out.

Cybersecurity Risk Assessment & Analysis

Topics: Cyber Defense, Healthcare

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More