The evolution from paper to online medical records is an opportunity to engage patients more fully in their care while making healthcare organizations more efficient. However, while patients enjoy the convenience of self-service access to all of their medical information, the portals offer cybercriminals a one-stop-shop for identity theft as well.
According to Identity Theft Resource Center in San Diego, medical identity theft is the fastest growing type of identity theft, increasing at 32% annually. In fact, healthcare-related data breaches are already 10 times more frequent than data breaches in the financial services sector. And unlike stolen credit card information, which is often detected within a few transactions, medical identity theft often goes undetected for over a year.
The comprehensive data contained in patient portals is especially lucrative to fraudsters, demanding a premium price in the underground market. While a stolen credit card number may sell for a dollar, a full set of medical records can command hundreds of dollars. The breadth of data within a patient portal offers fraudsters multiple opportunities to “cash in.” Compounding the problem is the level of detail presented on patient portals, often including unmasked insurance IDs, full images of patients’ insurance cards, problem lists, prescription histories.
Stolen medical identities are used by criminals in two ways: obtaining medical care under the victim’s identity and using the identities to fraudulently bill for services or durable goods, which were never delivered. Problem lists, which are a mandated component of patient portals, are particularly useful to criminals, because they allow classification of each victim by the type of fraud which their identity could support. The problem lists typically use standard terminology, which makes them particularly useful for classification purposes. Using malicious software, criminals can search the lists for “key words” describing conditions that demand specific types of services or durable goods. This targeted approach would make fraud more personalized to the victim’s profile and harder to detect.
Most patient portals use simple password protection, which can be easily captured by key-logging malware. This type of malware lays dormant on the victim’s machine, waiting for the victim to log into a patient portal site. When the patient logs in, the malware wakes up and captures the victim’s username and password. Using the stolen credentials, the criminals can get into the site, and once in can collect extensive information about the victim.
Medical identity theft has severe consequences for both patients and providers. Patients are faced with the financial costs of covering fraudulent bills and medical costs stemming from treatment of other individuals. Comingling of the victim’s and the criminal’s medical records can also put the patient in life-threatening situations if treated or diagnosed incorrectly. Providers face steep financial costs from retribution payments and HIPAA violation fees up to $1.5M per violation, however arguably the most significant consequence they face is damage to reputation.
Complicating matters is the fact that security measures cannot be so onerous that they dampen consumer adoption. Towards that end, use of covert technologies to analyze the identities and devices enrolling into a patient portal or logging in to it can increase security without impacting user experience.
Precise ID® with FraudNet for healthcare portals provides healthcare organizations with a way to confidently authenticate patients and reduce risk during enrollment and ongoing access to healthcare portals. It does so in a streamlined manner without burdening patients with increased wait times and complexities. Together, these solutions identify fraud, authenticate patients and validate devices – all in a single platform.
To learn more, view Experian Health’s complimentary on-demand webinar, “The Hidden Risks of Healthcare Portals,” or download the new white paper, “The Pitfalls of Healthcare Portals,” where we outline why your portal may be more vulnerable than you think.
