Medical identity theft is a growing concern without a solid solution. According to the Federal Trade Commission (FTC) medical identity theft has gone up 61.5% (2012) from the year before. The World Privacy Forum states that it affects 1.5 million Americans and costs more than $30 billion. The loss of private medical information occurs most often with the theft or loss of a laptop, an employee error, or an action of a third party. Some people get jobs just to steal information. Criminal attacks on IT security comprise a large percentage of reasons for medical ID theft, that being 33%, up from 20% two years ago. Stolen medical information such as medical files, billing and insurance cards, are used to get health care services, such as through Medicaid and Medicare. Providers worry that there is a co-mingling of medical information between the victim and the thief. In response healthcare organizations are not as prepared as they should be. In fact, many are not in compliance with HIPAA.
On September 23, 2013, HIPAA rules expand to help consumers protect and control their health information in a digital age. There will be tougher penalties under the Health Information Technology for Economic and Clinical Health Act (HITECH). One of HITECH’s rules mandates that companies report to the U.S. Department of Health and Human Services any data breach involving more than 500 people. HHS posts these breaches on their “Wall of Shame.” http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. If you are interested in your city or state who has breached confidences, this cite will help you find out that information.
Obviously, it takes months if not years to remedy many breaches as well as significant dollars. There is a cultural infrastructure problem wherein many businesses have a major gap in understanding how their IT risks affect general risk management. More than 57% of companies do not seriously analyze their cyber risks, and thus their management of their medical IT is poor. Another key issue is how to put a value on the stolen information.
Some companies have been working hard to spot possible misuse, such as flagging suspicious information or proactively restricting information to users or better encrypting data. Yet, with photographs and biometrics becoming an important part of medical records over time, concerns about medical ID theft continue to mount.