Pssst... want to buy some protected health information? Organized crime syndicates of hackers are stealing databases of medical or financial data and reselling them on the black market -- complete with fake driver licenses -- for up to $1,300 in tidy downloadable packages called "kitz." Willing buyers can present themselves at hospitals or physician offices to get health services covered by the victim's insurance plan. That's one form medical identity theft presently is taking.
Another common form of medical identity theft involves an uninsured relative of an insured patient borrowing an insurance card to illicitly obtain healthcare.
EHRs are sold without any idea of interoperability. Because of it, a consumer's contaminated records can be all over the place.
development coordinator, MIFA
A new nonprofit industry consortium, the Medical Identity Fraud Alliance (MIFA), is tackling the problem head-on. Charter members include ID Experts, AARP, the Blue Cross Blue Shield Association, the Identity Theft Resource Center and the National Health Care Anti-Fraud Association.
MIFA hopes to enlist 100 public and private healthcare stakeholders, including payers, providers and vendors, to join its ranks. The key people from those organizations that the group wants at the table include chief information security officers, anti-fraud team leaders, consumer affairs officers and communications teams.
Goals for the organization include researching the scope of medical identity theft and how it works to develop industry-standard solutions. Furthermore, MIFA plans to raise awareness of the problem in the healthcare industry and among policymakers and legislators.
Patients hit hardest
Most importantly, though, MIFA wants to get the word out to patients. William Barr, MIFA development coordinator, pointed out that years ago credit card theft could cause months (or longer) of inconvenience for consumers, and sometimes considerable expenses. Today, the typical incident usually involves no cost to the consumer, only the minor inconvenience of waiting for a new credit card with a new number delivered through the mail.
That improvement happened over the last decade or so, thanks to a concerted effort on behalf of the credit card industry to educate consumers to be vigilant for suspicious transactions showing up on their statements. At the same time, credit card fraud departments have begun proactively double-checking with customers when they notice anomalous transactions. Such close monitoring of transactions in healthcare, Barr said, would go a long way to arresting the problem of medical identity theft.
"The financial industry has done a good job of educating and engaging -- deputizing -- consumers," said Rick Kam, president and co-founder of ID Experts in Portland, Ore. "We need them in the middle of the fight, protecting themselves and their families."
Payers and hospitals involved in medical identity theft incur many costs, including time and bandwidth spent untangling the fraud, as well as the services they provide to the thief, which they're unlikely to be reimbursed. But the hardest-hit victim is the patient whose identity was stolen: It can take months to extricate himself from the situation financially, that is if his insurance plan and employer hasn't dropped him. Imagine, for example, what it would look like to an employer if your health record and the local police blotter "proved" you to be a habitual drug seeker cruising the region's emergency rooms.
Recent research, Barr said, showed that payers cancel 40% of medical ID theft victims' policies. "It can be financially devastating," he said, adding that the intermingling of the thief's data and the victim's can be even more problematic, possibly injurious -- for example, if the victim is rushed to a hospital with a burst appendix, but the ID thief indicated in the medical records that it had already been removed, or somehow got drug allergies expunged from the record or changed blood-type data.
Interoperability woes a barrier to fixing medical ID theft
Worst of all, because interoperability issues force many health data systems to operate in proprietary silos, it can be a difficult to correct the victim's medical records. It can take a year and sometimes thousands of dollars. In some cases, errant records never get corrected.
More on fraud prevention
Big data creates need for bigger defenses against ID theft
Information security vs. fraudsters: Who wins?
The lowdown on holistic fraud prevention
"One of the characteristics of the healthcare industry now is that it's hugely fragmented," Barr said. "It allows for EHRs to be sold without any idea of interoperability. We see that continuing, and because of [it], a consumer's contaminated records can be all over the place. In fact, the consumer might not even know where their contaminated records are, because the perpetrator might have gone to a care provider the consumer doesn't even know about. It significantly magnifies the problem."
That being said, the payer plays an integral role in helping clean up medical records that have been affected by identity theft. They hold the most data and can track the fraudulent activity between providers, directing the victimized patient to the various providers the thief used. On the tech side, MIFA advocates stronger patient authentication beyond static insurance cards. Barr said that U.S. healthcare is "primitive" compared to many developed nations, and could improve authentication with smart cards, which many European nations have adopted and some U.S. legislators have considered. The trick, he concluded, will be to come up with authentication technology that isn't too expensive for small physician practices to implement.
Kam added that CMS has done much research in the realm of fraud detection and prevention to cut down abuse of taxpayer funds. Their authorities can help the private sector attain the same level of success.