Medical identity theft (MIT) has become a major fraud issue over the past several years. However, most consumers may not be aware of the threats it poses. Unlike traditional financial crimes such as credit card or check fraud, which rarely involves anything more than a loss of money, the consequences of MIT can involve physical harm or potential loss of life.

According to the Medical Identity Fraud Alliance (MIFA), MIT is defined as the fraudulent theft of an individual’s protected health information (PHI) and personally identifiable information (PII) — such as a name or Social Security number — to obtain medical goods and services or for financial benefit. Additionally, the MIFA states that synthetic identities have been used to commit MIT in which the PHI of several individuals may be mixed to create separate identities.

Consequences of Medical Identity Theft

Unlike financial fraud, MIT is potentially a life-or-death situation at its most extreme. When others use a victim’s medical identity to obtain medical services or prescription drugs, that information may be commingled with the victim’s electronic health record (EHR).

The MIFA highlighted an example in which an elderly man visiting his local emergency room for a back injury was nearly administered penicillin, to which he had a life-threatening allergy. The issue was caused after the victim lost his medical ID card and did not immediately report it. In the intervening months, someone else used his medical ID at the same emergency room in which he was treated. The victim’s medical records were corrupted with the addition of the fraudster’s medical conditions.

There are several factors that contribute to the recent increase in MIT, such as a conversion to digital records, the black market value of medical records, friendly fraud and insider threats and Affordable Care Act (ACA) fraud.

Conversion to Digital Records

As health care providers convert to digital records, the personal medical information of millions of people has become vulnerable to external data breaches. In 2009, the federal government began offering hospitals and health care providers a monetary incentive to convert to EHRs.

Although there are security guidelines and certifications in place, online medical data has become a prime target for skilled cybercriminals. According to the Identity Theft Resource Center (ITRC), of the 761 data breaches it reported in 2014, 322 (42 percent) were in the medical/health care category. The Ponemon Institute estimates the annual economic impact from MIT is $11.6 billion.

Black Market Value of Medical Records

Since December 2013, there have been many high-profile retail data breaches in which millions of consumers’ PII was compromised and put up for sale on underground websites such as Rescator. However, credit card and Social Security numbers for sale on underground sites only fetch a few dollars. Stolen medical identities, by comparison, sell for as much as $50.

In general, consumers do not understand how valuable their medical insurance information has become.

Friendly Fraud and Insider Threats

The Ponemon Institute’s survey found that 35 percent of MIT was the result of family members using the victim’s insurance information. These crimes often go unreported to law enforcement because the victim knows or is related to the perpetrator.

Twenty-nine percent of cases stem from health care providers billing for unrendered services and from malicious insiders employed by health providers who steal and sell medical identities.

ACA Fraud

After the ACA was implemented, millions of Americans were exposed to identity theft and fraud. The HealthCare.gov enrollment website had issues, according to cybersecurity expert and SecureMySocial CEO Joseph Steinberg. He said it was unstable and would sometimes deny access, cut off communications in the middle of a session or crash completely. Buggy systems often let criminals exploit glitches to gain unauthorized access, read data or even modify the code executed during subsequent user sessions. Reports show organized crime groups and fraudsters began to bombard potential victims with emails and phone calls in an attempt to trick them into surrendering their Social Security number, bank number or other types of PII.

For instance, when a 69-year-old Ohio man signed up for health care through the site, he became a prime target for fraudsters. He started receiving dozens of spam emails and even received a phone call from a “convincing” man who claimed to be from the national Medicare office. The man said Medicare was ready to send a new Medicare card, but it first needed to confirm his identity through his bank account number.

Limiting MIT

Consumer awareness of medical identity theft is an important step that must be taken to limit the growth and expansion of MIT. Consumers must understand there are potentially severe consequences if their medical identity is compromised. The following are some actions consumers can take to prevent and detect fraud early on:

  • Guard medical identification and insurance information as closely as your Social Security number and banking information.
  • Carefully review the explanation of benefit statements you receive in the mail to ensure listed services pertain to your own care.
  • Monitor your credit report for unusual activity related to delinquent medical bills.
  • If you suspect you have been victimized, request all medical records from your health care providers to perform a review.
  • Read this IRTC fact sheet for more consumer protection information.

A Look Into the Near Future

As more devices enter the Internet of Things ecosystem, the health care industry will benefit from innovation. Wearables such as Fitbit and Apple iWatch will capture real-time data on patients. The natural progression is for this data to be transmitted to a patient’s health care provider and become part of a holistic health care approach.

Ultimately, there will be an increased number of access points into health care systems and, consequently, an increased attack surface for cybercriminals.

The top-of-mind issue for information security professionals in the health care industry is protecting against network infiltration and large-scale data breaches. However, what about the risk posed by the multiple devices patients will use to access their records? Mobile malware continues to increase at an alarming rate as cybercriminals look to capitalize on the proliferation of mobile device usage. According to Websense, 2015 will see cybercriminals looking to take advantage of auto-login capabilities of mobile apps to steal credentials. Malcovery predicts password reuse attacks from the countless data breaches will increase since cybercriminals will automate the attacks.

These are not groundbreaking predictions, but the preparedness of the health care industry must be considered. More mature industries in the digital world have made investments to address the challenges created by customers using multiple devices to access accounts and records. Device fingerprinting, malware detection, device reputation analysis and IP address monitoring are all techniques used to identify suspicious logins using a current customer’s credentials.

Are health care systems preparing to help protect their patients from login credential theft on the increasing number of devices patients will use to access and contribute to their health care records? Banks and other financial institutions have long witnessed their customers lose login credentials through phishing and malware attacks. With the digitalization of health care records and the subsequent surge in value, cybercriminals will employ the same techniques used to gain access to individuals’ online bank accounts to access their EHR.

The theft of health care login credentials can have widespread implications. Medical identity theft is still an immediate concern. However, this is shortsighted. Criminals can use the information from an EHR to conduct cross-industry identity theft, including establishing a line of credit using the victim’s identity or taking out an auto insurance policy in the victim’s name. What’s even more challenging is identifying the root cause of the identity theft. Victims are often unaware of lost credentials; therefore, they may never make the connection between the compromised medical records and the fraudulently opened credit card.

Medical identity theft is a growing fraud problem, and its consequences can be dire. The industry adoption of EHR, black market value of medical identity information and the lack of consumer awareness of the problem have all contributed to the growth of this issue. The expanded use of connected medical devices will provide increased opportunities for cybercriminals to access and compromise consumers’ medical records. Health care providers will have to invest in and adopt technologies to be on par with the financial sector.

Article co-written by Chad Barnes, IBM Red Cell

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today