Medical identity theft has been on the rise for some time. In fact, medical identity theft incidents increased 21.7% between the Ponemon Institute’s 2014 survey and its “Fifth Annual Study on Medical Identity Theft” released in February 2015. All respondents were victims of some form of identity theft, while 86% were victims of medical identity theft.
While fraudulent credit card charges are often remedied by credit card companies, medical identity theft can actually cost the insured party a considerable amount of money. More than half (65%) of those responding to the Ponemon Institute’s survey revealed that they paid an average of $13,500 to resolve the crime. These costs are typically related to paying a healthcare provider, repaying the insurer for services obtained by the thief, or paying for identity protection or legal counsel.
Respondents listed reimbursement for costs associated with preventing future damages as the action most important following a medical identity theft incident. Victims who sought to resolve medical identity theft crimes spent an average of 200 hours doing so, according to the study.
Just 37% of respondents reported that their healthcare providers informed them of ways to prevent medical identity theft. More than half (67%) of those respondents said they do not feel confident that these measures will keep their records secure. However, half of all respondents agree or strongly agree that they would find another provider if they were not confident in the security practices of a provider. Similarly, 47% said if they would find another provider if their records were stolen or they were concerned about record security.
Kate Borten, CISSP, CISM, founder of The Marblehead Group in Marblehead, Massachusetts, notes that the breach appears to be related to multiple security vulnerabilities. Successful spear phishing attacks permitted unauthorized access and network protocols were likely outdated, says Borten.
Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.
“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”
Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.
Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.
“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”
Stay tuned for the April issue of Briefings on HIPAA for more reactions to the breach.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q: What type of information can we email to patients? For example, is it permissible to email appointment reminders? I’m wondering what sort of PHI the email can include and what we should omit. Also, I am unsure whether to include the information in the body of the email or in an attachment.
A: CEs can send appointment reminders to patients via unencrypted email as long as the CE sending the reminder is not a specialty practice, such as a mental health practitioner, because that will reveal the condition of the patient if someone intercepts the email. Any PHI may be sent to the patient as long as the email is encrypted—in the body of the email and as an attachment.
The Omnibus Rule specifically permitted healthcare providers to communicate with patients using unsecure email as long as the patient is made aware of the risks before an email containing PHI is sent. Meaningful Use Stage 2 takes security a step further and requires hospitals, critical access hospitals, and eligible healthcare professionals to implement secure email so the provider and the patient can communicate securely.
In the end, if PHI is included in an unencrypted email and the email is intercepted, it is a breach of unsecure PHI and may be reportable to the individual and OCR.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
In early 2014, HCPro’s Medical Records Briefing (MRB) newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, 2013 implementation date. This year, MRB asked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.
With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% from 2014 to 2015.
However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase. Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.
The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches. The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.
This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Similar to 2014, nearly half of this year’s respondents (49%) serve as the privacy officers for their organizations compared to 50% in 2014, while just 33% reported being privacy officers prior to the Omnibus Rule implementation in early 2013. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the 2015 survey also serve as the privacy officer.
A password-protected unencrypted laptop containing the PHI of approximately 8,000 patients was reported missing from Riverside County Regional Medical Center in Moreno Valley, California, according to The Press Enterprise.
A breach notification letter sent to affected patients states that the medical center learned December 1, 2014, about the missing laptop that was used by its ophthalmology and dermatology clinics. This is the second time in less than a year that the medical center reported a missing laptop, according to The Press Enterprise.
The medical center notified law enforcement and began its own internal investigation, but was unable to find the laptop at the time of the January 29, 2015 letter, which states that the laptop may have contained the following patient information:
- Dates of birth
- Telephone numbers
- Social Security numbers
- Treating physician or department
- Diagnosis and treatment information
- Medical record number
- Medical service code
- Health insurance information
The medical center does not believe the laptop was taken in an effort to access or misuse patient information. However, it is offering identity protection alerts for affected patients, according to the letter.