Medical identity theft (MIT) has become a major fraud issue over the past several years. However, most consumers may not be aware of the threats it poses. Unlike traditional financial crimes such as credit card or check fraud, which rarely involves anything more than a loss of money, the consequences of MIT can involve physical harm or potential loss of life.

According to the Medical Identity Fraud Alliance (MIFA), MIT is defined as the fraudulent theft of an individual’s protected health information (PHI) and personally identifiable information (PII) — such as a name or Social Security number — to obtain medical goods and services or for financial benefit. Additionally, the MIFA states that synthetic identities have been used to commit MIT in which the PHI of several individuals may be mixed to create separate identities.

Consequences of Medical Identity Theft

Unlike financial fraud, MIT is potentially a life-or-death situation at its most extreme. When others use a victim’s medical identity to obtain medical services or prescription drugs, that information may be commingled with the victim’s electronic health record (EHR).

The MIFA highlighted an example in which an elderly man visiting his local emergency room for a back injury was nearly administered penicillin, to which he had a life-threatening allergy. The issue was caused after the victim lost his medical ID card and did not immediately report it. In the intervening months, someone else used his medical ID at the same emergency room in which he was treated. The victim’s medical records were corrupted with the addition of the fraudster’s medical conditions.

There are several factors that contribute to the recent increase in MIT, such as a conversion to digital records, the black market value of medical records, friendly fraud and insider threats and Affordable Care Act (ACA) fraud.

Conversion to Digital Records

As health care providers convert to digital records, the personal medical information of millions of people has become vulnerable to external data breaches. In 2009, the federal government began offering hospitals and health care providers a monetary incentive to convert to EHRs.

Although there are security guidelines and certifications in place, online medical data has become a prime target for skilled cybercriminals. According to the Identity Theft Resource Center (ITRC), of the 761 data breaches it reported in 2014, 322 (42 percent) were in the medical/health care category. The Ponemon Institute estimates the annual economic impact from MIT is $11.6 billion.

Black Market Value of Medical Records

Since December 2013, there have been many high-profile retail data breaches in which millions of consumers’ PII was compromised and put up for sale on underground websites such as Rescator. However, credit card and Social Security numbers for sale on underground sites only fetch a few dollars. Stolen medical identities, by comparison, sell for as much as $50.

In general, consumers do not understand how valuable their medical insurance information has become.

Friendly Fraud and Insider Threats

The Ponemon Institute’s survey found that 35 percent of MIT was the result of family members using the victim’s insurance information. These crimes often go unreported to law enforcement because the victim knows or is related to the perpetrator.

Twenty-nine percent of cases stem from health care providers billing for unrendered services and from malicious insiders employed by health providers who steal and sell medical identities.

ACA Fraud

After the ACA was implemented, millions of Americans were exposed to identity theft and fraud. The enrollment website had issues, according to cybersecurity expert and SecureMySocial CEO Joseph Steinberg. He said it was unstable and would sometimes deny access, cut off communications in the middle of a session or crash completely. Buggy systems often let criminals exploit glitches to gain unauthorized access, read data or even modify the code executed during subsequent user sessions. Reports show organized crime groups and fraudsters began to bombard potential victims with emails and phone calls in an attempt to trick them into surrendering their Social Security number, bank number or other types of PII.

For instance, when a 69-year-old Ohio man signed up for health care through the site, he became a prime target for fraudsters. He started receiving dozens of spam emails and even received a phone call from a “convincing” man who claimed to be from the national Medicare office. The man said Medicare was ready to send a new Medicare card, but it first needed to confirm his identity through his bank account number.

Limiting MIT

Consumer awareness of medical identity theft is an important step that must be taken to limit the growth and expansion of MIT. Consumers must understand there are potentially severe consequences if their medical identity is compromised. The following are some actions consumers can take to prevent and detect fraud early on:

  • Guard medical identification and insurance information as closely as your Social Security number and banking information.
  • Carefully review the explanation of benefit statements you receive in the mail to ensure listed services pertain to your own care.
  • Monitor your credit report for unusual activity related to delinquent medical bills.
  • If you suspect you have been victimized, request all medical records from your health care providers to perform a review.
  • Read this IRTC fact sheet for more consumer protection information.

A Look Into the Near Future

As more devices enter the Internet of Things ecosystem, the health care industry will benefit from innovation. Wearables such as Fitbit and Apple iWatch will capture real-time data on patients. The natural progression is for this data to be transmitted to a patient’s health care provider and become part of a holistic health care approach.

Ultimately, there will be an increased number of access points into health care systems and, consequently, an increased attack surface for cybercriminals.

The top-of-mind issue for information security professionals in the health care industry is protecting against network infiltration and large-scale data breaches. However, what about the risk posed by the multiple devices patients will use to access their records? Mobile malware continues to increase at an alarming rate as cybercriminals look to capitalize on the proliferation of mobile device usage. According to Websense, 2015 will see cybercriminals looking to take advantage of auto-login capabilities of mobile apps to steal credentials. Malcovery predicts password reuse attacks from the countless data breaches will increase since cybercriminals will automate the attacks.

These are not groundbreaking predictions, but the preparedness of the health care industry must be considered. More mature industries in the digital world have made investments to address the challenges created by customers using multiple devices to access accounts and records. Device fingerprinting, malware detection, device reputation analysis and IP address monitoring are all techniques used to identify suspicious logins using a current customer’s credentials.

Are health care systems preparing to help protect their patients from login credential theft on the increasing number of devices patients will use to access and contribute to their health care records? Banks and other financial institutions have long witnessed their customers lose login credentials through phishing and malware attacks. With the digitalization of health care records and the subsequent surge in value, cybercriminals will employ the same techniques used to gain access to individuals’ online bank accounts to access their EHR.

The theft of health care login credentials can have widespread implications. Medical identity theft is still an immediate concern. However, this is shortsighted. Criminals can use the information from an EHR to conduct cross-industry identity theft, including establishing a line of credit using the victim’s identity or taking out an auto insurance policy in the victim’s name. What’s even more challenging is identifying the root cause of the identity theft. Victims are often unaware of lost credentials; therefore, they may never make the connection between the compromised medical records and the fraudulently opened credit card.

Medical identity theft is a growing fraud problem, and its consequences can be dire. The industry adoption of EHR, black market value of medical identity information and the lack of consumer awareness of the problem have all contributed to the growth of this issue. The expanded use of connected medical devices will provide increased opportunities for cybercriminals to access and compromise consumers’ medical records. Health care providers will have to invest in and adopt technologies to be on par with the financial sector.

Article co-written by Chad Barnes, IBM Red Cell

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today