There are a lot of people saying that healthcare is particularly vulnerable to hacking. And, full disclosure, most of them stand to profit if you believe them (including HIPAA experts like me, in fact). The recent breach of insurance giant Anthem’s patient data gives an opportunity for a bunch of news articles on just this point. So let’s consider it for a moment.
Much hacking and phishing is aimed at access to quick-value money: credit card numbers that can be used right away (with the victim perhaps not knowing about the use until the bill comes, or perhaps not even noticing it when the bill comes), or actual bank or financial account data so current funds can be withdrawn, phony checks written, etc. In this type of hacking, the reward comes quickly to the hacker, but might be small change and is usually not a long-term proposition.
Some hacking is designed to allow for real identity theft: the hacker acquires a Social Security number and other information, impersonates the individual to obtain credit cards, car loans, even house loans, runs up big debts, and when the credit card company or bank tries to collect, the impostor is gone with the loot. Meanwhile, the victim is left to try to prove that it wasn’t him or her that used the credit card, got the car or house loan, whatever it may be. The reward takes longer, but can be much bigger than snatching a credit card number.
With regard to both of these types of hacks, the victim, the bank or credit card company, and the downstream vendor (the store at which the stolen credit card is used, the seller of the car or house, etc.) are all incentivized to prevent the hack, since all of them stand to suffer substantial harm: the victim’s credit might be ruined (or he might pay for something he didn’t get), and the bank, the credit card company, or the later vendor might be left holding the bag.
Health records sometimes contain credit card numbers, but often don’t, making them not particularly useful for the first type of hack. On the other hand, health records usually contain Social Security numbers and other demographic data that can be useful for the second type of hack. Thus, medical records might be useful for traditional identity theft schemes.
However, the much bigger risk—and what medical records are particularly well-suited for—is medical identity theft. This type of hack targets patients with good insurance, and allows someone to impersonate the insured and receive the insured’s health benefits.
The impostor gets free or reduced-cost healthcare, but unlike most other hacks, the “victim” (the person whose data was stolen) doesn’t immediately suffer; in fact, the victim might benefit, since the impostor might actually pay a part of the victim’s annual deductible. Additionally, the person whose data was stolen is not in a very good position to know it was stolen, unless he regularly checks his EOBs (frankly, even if he scrupulously checks his EOBs, they can be hard enough to understand that the medical identity theft might not even be noticed).
Rather, the immediate victim is the insurer, who pays for care for someone who did not buy insurance. And if the insurer discovers the identity theft, the care provider becomes the victim, since the insurer may try to recover the funds paid to the provider for the imposter’s care.
Unlike a stolen credit card number, which can be used to purchase almost anything (including cash cards), a stolen medical identity is not as easy to immediately monetize. However, the lower level of vigilance by the potential victim may make medical identity theft easier to pull off.
More importantly, however, the risks of medical identity theft far outweigh the risk of credit card theft or regular identity theft. An impostor who receives care while posing as the insured will leave behind a medical record that might be relied upon by some future healthcare provider.
Perhaps the impostor is not allergic to penicillin, but the insured is; the impostor receives care at a hospital and the medical record says the patient may have penicillin. When the real insured shows up, tragedy might occur. Thus, while regular identity theft might cause financial ruin to its victims, medical identity theft can kill.
Does the Anthem hack indicate that an epidemic of medical identity theft is on its way? Most criminals are looking for quick cash, and medical identity theft doesn’t offer as quick a reward as access to a bank account or credit card number.
However, given that there is profit to be made in medical identity theft, and the risks are much greater, healthcare providers, insurers, and patients should all be on high alert for signs of it, and be prepared to quickly respond. Furthermore, even if medical identity theft is not the goal, hackers may will seek health records for regular identity theft. Finally, healthcare providers and insurers are simply obligated under HIPAA to protect those records, regardless of the threat of medical identity theft.
Jeff Drummond is a partner in the health law section of Jackson Walker LLP. He primarily represents hospitals, physicians, and other providers in transactional and regulatory matters, with particular emphasis on Stark and Anti-Kickback issues.