Is 2015 the Year of the Healthcare Hack?

protecting yourself from healthcare hacks

If 2014 was the year of major retailers being involved in security breaches, 2015 has thus far been the year for insurance companies. Anthem led the way earlier this year with a hack that compromised the personal information of hundreds of thousands of victims. Now, Premera Blue Cross, one of the largest health insurance providers in the Pacific Northwest, has been the target of a security breach.

Security experts are still attempting to discover the full extent of the breach. Hackers evidently accessed housing data from as far back as 2002. It is believed that at least 11 million people were affected by the breach.

Premera also has dozens of subsidiary organizations, clients, and contractors each with its own set of records. Technology experts from the health care provider are working tirelessly to determine the extent of their information that was compromised. Vivacity, a workplace wellness provider, and Connexion Insurance Solutions, which focuses on small- to medium- sized businesses, were both affected, too.

The vulnerability has been in use for some time. Company officials say the first breach occurred in May of 2014 and was only discovered in January of 2015. The FBI, in coordination with private cyber security firm Mandiant, is working to uncover the size and severity of this attack as well as to find the perpetrators.

Criminals have stolen a wide variety of personal information from the provider. Names, addresses, and Social Security numbers are the obvious targets, and these are frequently used to commit identity theft or cloning. A surprising amount of health information is also used to illegally obtain prescription medication or commit insurance fraud. This form of medical identity theft is growing as a black market solution to higher medical costs. In 2014, 2.3 million people were victims of this kind of fraud and each victim had to pay an average of $13,500 to resolve the problem.

There appears to be a strong connection between the attacks made on Premera and those made on Anthem. In both cases, hackers registered domains with common misspellings of the company’s name and used those sites to collect login information. These usernames and passwords were then used to breach the company at higher and higher levels. These tactics, and several others, point to Chinese hacking group Deep Panda.

As these groups grow bolder, it’s more important than ever to keep up with your own best practices in medical identity theft prevention. The FTC recommends following these three steps to keep yourself safe:

Stay on the Lookout for Suspicious Bills
Medical identity theft results in bills to you for procedures done to someone else. Unscrupulous doctors bill insurance companies for procedures they never did or for more costly versions of operations than what they performed. They count on instant reimbursement, knowing the insurance company will try to collect the fraudulent charge from the policyholder. Medical identity theft confounds this process. In other instances, criminals use your identity to get medical treatment and bill it to your insurance, leaving you on the hook for the charges.

These charges will show up in a few places. For instance, you may get a call from a collection agency over a medical bill. You may also have a medical bill arrive in the mail for a procedure you didn’t have. Your insurance company may also notify you of a change in your premium or coverage based on a new medical condition. Each of these is a red flag that you’ve been the victim of medical identity theft.

Review Your Medical Records
The Health Insurance Privacy Protection Act (HIPPA) requires that healthcare companies keep and maintain detailed records about patient services. You have the right to obtain a copy of those records. In most cases, your best bet will be to contact a major provider of medical services, like a national pharmacy.

You may also need to contact your insurance provider for copies of their records. They have the same record-keeping and disclosure requirements that providers do, but they may charge for the service of providing records. If you can narrow down a window of time during which you suspect your account was compromised, you can save yourself both time and money.

Providers may refuse to comply with your request for disclosure because they fear violating the privacy of the identity thief. Fortunately, an appeals process exists for this decision. You need to contact the person named in the privacy policy as the patient representative or ombudsman. If you are still unsuccessful, you can contact the US Department of Health and Human Services’ Office for Civil Rights.

Correct Your Records
You can submit requests for corrections to each provider that has charged you for services. Such a request should explain the reason for the error and include documentation that the charge is, in fact, an error. Examples would be proof that you were nowhere near the provider at the time of the charge or a letter from your doctor stating that you have never experienced the condition that was treated.

If your provider refuses to change or reverse the charge, ask them to place a notice of dispute on your account. This notice will show credit agencies that the charge may not reflect your borrowing habits and will help you mitigate the impact of a poor credit score. Such a notice should also stop the collection calls.

This pattern of security leaks means everyone is potentially at risk. You can’t avoid digitizing your health care information. But you can take steps to keep your identity safe. Credit monitoring services can provide you with peace of mind.  Knowing you’ve got a team of dedicated professionals watching your back around the clock can help you sleep soundly at night.

Many financial institutions, including our parent group PrimeTrust Federal Credit Union, offer identity theft prevention and protection resources as a part of a base or premium checking account.  Check out this overview of PrimeTrust’s IDProtect solution to learn more about how an account typically works.

SOURCES:

http://www.consumer.ftc.gov/articles/0171-medical-identity-theft

http://www.computerworld.com/article/2898419/data-breach/premera-anthem-data-breaches-linked-by-similar-hacking-tactics.html

http://money.cnn.com/2015/03/17/technology/security/premera-hack/

http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/20/2015-is-already-the-year-of-the-health-care-hack-and-its-only-going-to-get-worse/

http://www.csmonitor.com/World/Passcode/2015/0320/Premera-hack-What-criminals-can-do-with-your-healthcare-data

Leave a Reply

Your email address will not be published. Required fields are marked *