The High Price of Medical Identity Theft and Fraud
Some Quick Facts 3 times more likely to be ID fraud victim if credit/debit card breached 1 New ID fraud victim every 2 seconds 2 Few adults are familiar with medical identity theft 3 The average per record cost of a data breach for U.S. organizations is $201 4 Healthcare sector $316 per record $70B improper CMS payments in 2010 1 2015 Javelin Strategy & Research Identity Fraud Study 2 2015 Javelin Strategy & Research Identity Fraud Study 3 2012 Harris Interactive/Nationwide Study: Few Aware of Risk of Medical Identity Theft 5 2014 Cost of Data Breach Study (US), IBM/Ponemon 2
Medical Identity Theft & Fraud Theft of PHI for the purpose of financial gain or to unlawfully obtain medical goods or services Use of medical ID not your own, or fictitious/synthetic identity, to obtain goods and services, or to unlawfully financial gain Obtaining insurance, prescription drugs, healthcare treatment and medical goods, employment, government benefits or other financial gain May involve financial gain both from the sale of stolen PHI/PII or from the use of PHI/PII to obtain medical goods and services 3
Unique Medical ID Fraud Experience Corrupted medical records can be life-threating PHI is not easily closed or changed Financial liability not limited No healthcare equivalent of Fair Credit Reporting Act (FCRA) Costs borne by all parties no set practice 4
Survey on Medical ID Theft The 2014 Fifth Annual Study on Medical Identity Theft, sponsored by MIFA and our members, measures the prevalence of medical identity theft in the United States and its impact on consumers Surveyed 1,005 adults (aged 18+), who self-reported they or close family members were victims of medical identity theft For purposes of the study, medical identity theft occurs when someone uses an individual s name and personal identity to fraudulently receive medical service, prescription drugs and goods, including attempts to commit fraudulent billing 5
Survey Highlights Medical identity theft is growing Base rate of victims increased from.0053% in 2010 to.0102% in 2013 2.3 million adult-aged victims of medical identity theft in 2014 Nearly 500,000 estimated new victims in 2014 21.7% increase in from 2013 to 2014 $20 billion estimated out-of-pocket costs for victims Reputational risks for healthcare providers & victims Resolution of the crime is time-consuming Medical identity theft can put victims lives at risk About half of medical identity theft may be preventable 6
Contributing Factors Pervasiveness of electronic PHI Increasing alternative delivery models that include care outside of facilities Increasing number of individuals with healthcare benefits High value of PHI on black market Emerging technologies cloud, mobile & BYOD, IoT Changing legal & regulatory landscape Criminals are highly organized industry is less organized Pay and chase model Lack of coordinated response by public & private sectors to specifically address PHI privacy & security 7
How It Happens Friends & Family crime Phished Data breach Insider/bad actor at healthcare provider or plan Lost wallet or other PHI-containing item PHI intercepted by crook email, post mail 8
Discovering Medical ID Theft Collection letter Adverse entry on credit report Errors in invoices from healthcare provider EOB errors Mistakes in health records Informed by healthcare provider Data breach notification Law enforcement 9
Non-Medical Consequences 89% of those with negative reputational impacts expressed embarrassment from disclosure of sensitive medical information Employment related difficulties Revocation of professional licenses Lost time and productivity fixing inaccuracies in records Financial ID theft Out-of-pocket costs for resolution 10
Financial Impact 65% Of victims paid an average $13,453 out-of-pocket Reimbursements to healthcare provider for services to ID thief Payments to health plan Identity protection, credit reporting, legal counseling Diminished credit scores Increased health insurance premiums Legitimate health plan claims denied 11
Medical-related Consequences Misdiagnosis Mistreatment Incorrect medication prescribed Delay in receiving healthcare, treatment Lost health insurance coverage Lost trust/confidence in healthcare provider post-breach 12
Preventable Fraud Sharing of personal identification for medical services is prevalent 49% had their personal identification or medical credentials shared with someone they knew 25% willingly shared 24% family member or friend took identification or medical credentials without consent Consumers don t understand significant consequences from comingled health records 13
Education Needed 60% do not check their medical records for accuracy Don t know how Trust their providers to be accurate Did not think of it Records not easily accessible Don t care 50% do not review their EOBs at all Trust accuracy Do not understand or think the document is confusing Not important 14
Resolving the Crime Only 10% reach resolution Worked with health plan or healthcare provider to resolve Repaid healthcare provider or health insurer for services rendered to fraudster Obtained and reviewed credit reports Purchased identity protection services Contacted credit bureaus Engaged legal counsel Engaged non-profit that provides victim assistance 15
What Industry Can Do Stop usage of SSN as an identifier or as part of PHI; shift to other personal identifiers Take an eco-system stance Review of business associates security & privacy practices Enterprise-wide approach it s not just the CISO s responsibility Sound policies around cloud, mobile and BYOD, emerging technology Staff training insider threat is real Consumer education 16
Strength in Numbers to Reduce Medical ID Theft & Fraud Conduct research to understand the root causes of medical identity fraud, including internal and external sources. Participate in a community of industry knowledge experts to develop industry best practices, policies and best-in-class technologies for fraud detection and prevention Inform and influence public policy by building relationships with law enforcement and regulatory agencies (FBI, OIG, FTC, OCR), and advocating on behalf of consumers 17
Ann Patterson Medical Identity Fraud Alliance @MedIDFraudAssoc 18