Medical identity theft is when someone steals or uses your personal information (like your name, Social Security number, or Medicare number) to submit fraudulent claims to Medicare and other health insurers without your authorization. This makes processes such as medical data entry risk-prone and sensitive. Medical data can be compromised in-house or to outside entities. When utilizing documentation services and other in-house or outsourced solutions, you need to be extra cautious and have adequate security measures in place.
Medical data theft usually occurs following
- an offer of free medical equipment or services followed by a request for a Medicare number
- a request from a friend, relative, or stranger to borrow or pay to use a Medicare card or other identity card, or
- a telephone survey that asks for a Medicare number
To fight such identity thefts, Medicare will be mailing every beneficiary a new card with a unique new number to identify them. Known as Social Security Number Removal Initiative (SSNRI), this mission will begin by April 2018 and end on December 31, 2019.
According to a February 2017 survey from Accenture, one in four U.S. consumers (26 percent) have had their personal medical information stolen from technology systems. The findings show that half (50 percent) of those who experienced a breach were victims of medical identity theft and had to pay approximately $2,500 in out-of-pocket costs per incident, on average. It was found that the breaches were most likely to occur in hospitals, followed by urgent-care clinics (22 percent), pharmacies (22 percent), physician’s offices (21 percent) and health insurers (21 percent).
What Goes Wrong If Patient ID Is Not Protected?
AJC.com reports the case of a former clinic employee, who was accused of stealing patients’ information and used one of the victims’ identity to rent a car. The accused is thought to have stolen the medical records of 10 patients of Atlanta Asthma and Allergy where she worked.
BizTimes reports that confidential information of about 9,500 patients was compromised in a phishing attack on the Medical College of Wisconsin’s email system, during the period July 21-28, 2017. The compromised email accounts contained one or more of the following: names, home addresses, dates of birth, medical record numbers, health insurance information, dates of service, surgical information, diagnosis/condition and treatment information.
Business Examiner reports that the Department of Social and Health Services’ Behavioral Health Administration has confirmed that an employee at Western State Hospital had sent a spreadsheet containing private information of 515 patients to an incorrect email address. Personal health information such as names, admission dates to Western State Hospital, the Western State Hospital medical record number, date of birth as well as specific diagnosis of infection were included on the spreadsheet.
WKBW reports the case of an Orchard Park doctor, who has been arrested after being accused of getting drugs through fraud and identity theft. This doctor had fraudulently used the names of dozens of patients, both dead and alive, to obtain controlled substances.
Protect Patient Data from Identity Theft
Patient healthcare records contain a wealth of personal and financial information, from Social Security numbers and birth dates to credit card and bank account numbers, making it valuable to commit fraud.
Every hospital needs to be aware of and prepared to prevent such thefts and ultimately reduce your hospital’s risk. These steps can be helpful.
- Consider better identity verification based on Equifax, Experian, TransUnion and LexisNexis identity verification and knowledge-based authentication.
- Invest in the right health IT solution and secure storage options to ensure the safety of patient information.
- Educate patients about medical identity theft, as many cases of fraud could be prevented if patients paid closer attention to their records and statements.
- Hospital staff should also be trained to identify any errors that could signal fraud during patient interactions and when processing paperwork.
- Never store unnecessary patient details. Outdated or unused medical information should be disposed of in a responsible manner. When no longer needed, shred documents containing personal information.
Strict data security measures should be followed to keep PHI safe. Healthcare firms considering data entry outsourcing should make sure to choose a partner that adheres to HIPAA guidelines.