Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

As medical data breaches continue to spike, the federal government is seeking remedies to try and prevent medical identity theft.  

Nearly 21 million Americans are at risk of having their medical identities stolen after having their healthcare records exposed in data breaches.¹ And that’s just since September 2009, when a new breach notification rule took effect and the U.S. Department of Health and Human Services (HHS) began enforcing the rule and tracking healthcare breaches.  

As the problem continues to worsen – theft of medical data increased by 50% last year² – the federal government is looking for ways to both stem the tide of breaches and help consumers whose medical records have been exposed.    

The Centers for Medicare and Medicaid Services (CMS) – which provides coverage to 100 million people – can play an important role in this effort. As the single largest healthcare payer in the nation, CMS can help consumers by responding to breaches a little quicker and by providing more information in its notifications, according to the HHS Office of the Inspector General (OIG).

But the OIG’s recommendations can apply to all healthcare organizations that want to help their patients, clients or employees whose personal information has been exposed due to a data breach. 

OIG officials believe if organizations send out breach notifications on-time and provide enough information, then potential victims can take steps to protect themselves. They can be more diligent about checking their credit reports, financial statements and medical records. They can also subscribe to credit and identity monitoring services, if these services aren’t already provided to them by their organizations.

If everyone does their part, perhaps the healthcare industry will eventually see the tide turn on data breaches and medical identity theft.

¹ U.S. Department of Health and Human Services Office for Civil Rights.

² Identity Theft Resource Center

Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

The latest Ponemon Institute Medical Identity Theft survey reflects the classic good news, bad news scenario. The good news is that more consumers understand how medical identity theft happens, and the importance of checking healthcare invoices and records for accuracy. The bad news is that the victim count has hit an all-time high (nearly 2 million annually), while breach frequency and financial damages continue
to rise, unabated.   

Losses up 44% from 2010

Data extrapolated for 2012 reveals that losses from medical identity theft will top $40 billion, up 34% from last year and 44% from 2010. During any given hour thieves using pilfered credentials will steal nearly $5 million worth of medical services, equipment and prescriptions.

The survey also revealed:

• Higher costs for recovery and resolution: victims pay on average $22,346
  (up 10% from 2011) to resolve medical identity theft, including the cost of identity theft protection and retaining legal counsel
• Difficulty knowing when the crime occurred: one quarter of those asked did not know when their medical identity was stolen, while 34% said it took more than a year to find out
• Collection letters still top the list: though more consumers learn of medical identity theft from suspicious statement or invoice entries, nearly 40% of victims first hear of their misfortune through collection letters

In a subtle but potentially instructive revelation, just 4% of survey respondents said a healthcare provider or insurance company notified them of the theft.  

Providers beware

So how is all this flavoring consumers’ attitudes toward healthcare and insurance providers? The biggest non-financial consequence, according to Ponemon, is a loss of trust and confidence. If people perceive a lack of effective data safeguards, most (58%) feel no compunction about going elsewhere for services. If their medical records were ever lost or stolen 56% of respondents would also feel justified making a change.  

Watch the vital signs

The top three actions desired by victims following medical identity theft include: reimbursement for the costs of changing providers; prompt notification of the loss or theft; and free identity theft protection for at least one year. (Hint: Providers can use these survey insights to develop post-breach strategies and programs aimed at reestablishing trust and confidence.)  

Employers can also play a role in medical identity theft awareness by encouraging (and if needed, teaching) employees how to:

• Keep medical information private
• Regularly check medical records for accuracy (57% of those surveyed don’t)
• Be more proactive about monitoring statements and charges
• Review and interpret credit reports
• Engage an identity theft protection service

Bottom line? When it comes to medical identity theft, vigilance is good medicine–for consumers and healthcare providers alike.

Don’t expect medical breaches and healthcare fraud to drop off the radar anytime soon. Here’s why.

First, the number of breaches in the industry is still escalating. In 2011, healthcare breaches occurred 32% more frequently than in 2010.¹

Second, the profitably of medical records on the black market is high – 192% more profitable than Social Security numbers. Estimates put the former at $50 and the latter at $1, according to a GovTech.com article.

It’s this frequency and profitability that, in part, help to ensure the continuation of data loss and fraud. The sooner the industry accepts and prepares for incidents, the better.

Healthcare organizations still have a lot to do in that regard. Forty-three percent rank their ability to counter internal and external data security threats as “needs improvement,” “poor” or “failing.”² And their actions – or lack thereof – can adversely affect patients. Medical identity theft can cost a consumer $20,663 to resolve.³

 So what exactly is compromising data security at healthcare organizations? In a recent study, most organizations (54%) agreed that a lack of budgetary resources dedicated to security and privacy is the greatest weakness in preventing a breach.⁴ The study also named the top three causes of data breaches as:

• Lost or stolen computing devices
• Third-party errors
• Unintentional employee actions⁵

Looking at the list, it’s clear that budgeting for security and privacy needs to encompass protecting mobile and other computing devices, training employees and verifying that third party partners uphold a high level of security as well.

Without a well-rounded approach to data security, organizations make themselves even more vulnerable at a time when vulnerability is a given. Organizations big and small can’t do without computers, third parties and employees – or at least two of the three. So the risk of a breach and resulting fraud can never be completely eradicated. Human error alone is impossible to eliminate.

But risks can be managed with a comprehensive plan that addresses a full spectrum of weaknesses and threats. A plan that includes access controls and encryption for sensitive data as well as a response guide to handling a data breach if one occurs.

[footnotes]

1. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
2. Healthcare Information Security Today (2011)
3. Second Annual National Study on Medical Identity Theft, Ponemon Institute (2011)
4. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
5. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)

Say goodbye to bulky manila folders. Today’s healthcare organizations are zipping through medical histories and writing prescriptions using mobile devices. But the new found convenience hasn’t been without cost – not just in implementing new systems and tools but in losing data when security measures aren’t implemented too.

A recent study suggests that adopting new technology is a far greater priority than securing it. Eighty-one percent of healthcare organizations are using mobile devices to “collect, store and/or transmit” protected health information (PHI) but 49% “do nothing” to protect the devices.

The lack of security has been detrimental. The same study found that the breach of protected health information (PHI) records increased 97% from 2010 to 2011.

While data loss is certainly a burden to organizations, mobile security doesn’t have to be. Here are four key considerations for mobile-equipped medical offices:

1. Encryption
   Consider the encryption capabilities of a device before you purchase, not after. Carefully choose tablets and phones that offer a high level of encryption across the various functions and facets, including removable storage, of the device. If your office is already mobile-equipped, be sure encryption is standard procedure.
2. Storage
   Think of a mobile device as a way to access data, not store it. A secure server or cloud network is more appropriate for a centralized storage location, to which your mobile devices can connect and disconnect. The latter function is essential, as the portability of a mobile device makes it both easier to lose and more attractive to thieves. According to the Department of Health and Human Services, stolen physical devices account for 71% of breached healthcare records. A missing device that’s online with your data bank poses a serious threat to you and your patients.
3. Access
   Mobile devices should be password-protected, and so should access to your data bank through the devices. Job requirements should determine what devices and passwords each employee in your office can access. Also consider whether bring your own device (BYOD), when employees use their personal devices to access work data, fits with your security approach.
4. Employees
   Don’t overlook the element of human error in your mobile security plan. In 2011, the volume of breached medical records resulting from an employee losing an unencrypted device jumped 525%. Since you can’t ever completely eliminate human error, be sure to train your employees on properly using and handling mobile devices, as well as reporting any loss, theft or signs that a device has been tampered with.



Experian will be at the annual HCCA 2012 Compliance Institute conference at Caesar’s Palace in Las Vegas. This conference offers an important opportunity to meet industry professionals with solid credentials in a number of areas related to medical information and data security. Some of the topics to be addressed at the conference include healthcare reform, compliance effectiveness and HIPAA privacy/data breach.

Attendees at the Compliance Institute can choose from 128 sessions and 225 speakers. Special conference tracks address legal and regulatory issues and privacy and security concerns, as well as general compliance. Also offered are advanced discussion groups, industry immersions, speed networking and more. For more information, go to http://www.compliance-institute.org/.

Come and visit our booth. We’ll talk about ProtectMyID^®, Surveillance Alerts^TM and ProtectMyID^® ExtendCARE^TM, as well as other Experian products that can play a critical role in protecting your organization, informing patients of a data breach and helping your organization recover from an incident. You can also enter your name in a drawing for a chance to win a new iPad.

It’s no secret that healthcare data breaches are steadily on the rise.  As technology has modernized healthcare, it has also made healthcare more vulnerable to hackers, fraudsters, and costly bad luck (such as when a lost portable hard drive exposes the personal health records of thousands of patients.)

The threat is real, so how do security experts suggest you protect yourself?

According to GovInfoSecurity, here are 8 tips to help ward off healthcare security breaches:

1. Risk Assessments
HIPAA security risk analysis has been in short supply, thus exposing personal health information to the vagaries of chance.  Many large healthcare breaches have involved the loss or theft of mobile devices and media containing unencrypted PHI, pointing to the fact that risk assessments were not conducted or had failed to identify mobile devices as a vulnerability.  Comprehensive assessments should take into account internal and external infrastructure, web applications and wireless security, and mobile device policies and employee training should be conducted for all healthcare organizations.

2. Encrypt Mobile Devices and Media
Data encryption is important in every setting, and this is especially true when it comes to healthcare data.  Further, some experts think that health organizations should go further than encryption and simply not allow patient data to be stored on mobile devices at all.

3. Increase Training
Security policies alone are not enough.  Employees must be trained in these policies in order for them to be effective.

4. Conduct Internal Audits
Internal breach threats can be mitigated by the establishment of regular internal audits, which can deter would-be fraudsters while also identifying internal breaches before they snowball further.

5. Monitor Business Associates
With business associates accounting for 22% of major breaches, it’s important to make sure that vendor partners are as security conscious as you are.  Audits should extend to business associates in order to ensure vendors are practicing agreed-upon security measures.

6. Limit Data Storage
Massive unencrypted databases are a recipe for disaster.  Encryption is important, but addressing the size of databases is also relevant.  Limiting the amount of personal data your organization possesses is an important step in ameliorating the consequences of data breaches.

7. Paper Records Are Also Important
Good old-fashioned paper records can also lead to data breaches, so amidst the focus on online threats don’t forget about the hazards of paper.

8. Address Other Vulnerabilities
Weaknesses such as wireless access vulnerabilities, ineffective encryption, rogue wireless access points, firewalls separating wireless networks from internal wired networks, and authentication requirements for entering wireless networks are examples of breach threats hat fall into the “miscellaneous” category.

Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Join us on Tuesday, April 26th for a live webinar with Dr. Larry Ponemon presenting Medical Identity Theft Trends: The Importance of Securing Healthcare Data.

What are some of the dire consequences of medical identity theft? It could be the shock of receiving a collection letter requesting immediate payment for an expensive medical procedure you never had. Or, it might result in a mistake on your healthcare record that could threaten insurance coverage or worse yet cause you to receive the wrong medical treatment.

According to Ponemon Institute’s Second Annual Survey on Medical Identity Theft, we estimate that more than 1.49 million Americans have been targeted by this crime. With an average cost per victim of $20,663 the total national economic impact of medical identity theft crimes is more than $30 billion.

Why is medical identity theft on the rise? First, we found that consumers lack awareness about this crime, which could make them more complacent and more vulnerable. Second, medical identity theft is often a family affair. More than one-third of victims in our study say that it was a family member who took their personal identification credentials. Finally, the victims tend to be older with a greater likelihood of having Medicare and other Social Security benefits. They also may not be as savvy about the need to protect their medical identity.

Consumers can minimize their risk by safeguarding their medical credentials and making sure they provide sensitive information only to appropriate healthcare organizations that take the security of health records seriously. Consumers also should monitor health records and credit reports to make sure that if their identity is stolen the incident can be resolved as soon as possible. In turn, organizations have a responsibility to protect patients’ records from being lost or stolen and to inform consumers of the need to safeguard their medical credentials. Taking such steps is critical to reducing this billion-dollar crime.

Today’s headlines trumpet yet another high-profile medical data breach, this time through Health Net.  The company’s nine missing computer drivers have exposed the records of 2 million policyholders, thus compromising personal information that includes addresses, Social Security numbers, financial data and other information about customers, employees and healthcare providers.  California insurance regulators are conducting multiple probes to determine whether Health Net, which services 6 million policyholders nationwide, “did everything it could have done to avoid and appropriately remedy this security breakdown.”

This corporate catastrophe reminds us of the increasing hazard of medical fraud, which is the most expensive and time consuming to resolve of all types of identity theft[i].  The second annual National Study on Medical Identity Theft, fielded by the Ponemon Institute provides further insight into this pervasive problem and how it affects consumers.

Key finding include:

Recognizing the importance of privacy does not equate to action:

• Nearly 1.5 million Americans have been affected by medical identity theft
• The average cost to resolve a case of medical identity theft is $20,663, up slightly from $20,160 in 2010
• Nearly 70% of total respondents felt it is important to have personal control over medical records
• Nearly 80% felt that healthcare organizations should ensure the privacy of personal medical records
• Nearly half (49%) of past medical identity theft victims took no new steps to protect themselves after their own incident
• 50% of respondents did not report the incident to law enforcement or other legal authorities, up from 46% in 2010

Consumer indifference is fueled by lack of understanding of repercussions

• Of those that failed to report an incident, 43% cited the lack of resulting harm and the desire to “not make it a big deal.” This is up from 37% in 2010
• 37% of respondents fear embarrassment as a result of medical identity theft more than loss of medical coverage (21%) or a diminished credit score (18%)

Consumers are uninformed of new healthcare reform policies

• More than half of respondents (55%) are not familiar or have no knowledge of the new healthcare reform policies
• 79% are not aware of the plan to create a national electronic database of American’s health information
• 33% of respondents believe that a national electronic database will increase the risk of medical ID theft

Medical identity theft is a family affair

• In many cases, the victim discovers the thief to be a relative and the crime is often not reported to authorities
• The leading instance of medical identity theft was at the hands of a family member, accounting for 36% of all victim responses, making it the most common scenario by an overwhelming margin
• According to 51% of respondents, the number one reason for not reporting the incident after discovery is because the victim knew the thief and did not want to report him or her

Health Net is conducting its own investigation into its recent data breach, and regulators have praised the company for acting quickly to alert consumers about the incident.  Healthcare organizations are responsible for protecting consumer privacy and reporting breaches, but the National Study on Medical Identity Theft’s survey confirms that consumers need to play their own part in reporting incidents and helping healthcare companies protect private medical information.

[i]2010 Global Privacy Summit Presentation: The Potential Damages and Consquences of Medical Identity Theft and Healthcare Data Breaches – Dr. Larry Ponemon