While credit card breaches at retailers are grabbing headlines, identity thieves are quietly homing in on an even more lucrative area: health insurance and medical records.
More than 1.8 million people in the U.S. were victims of medical identity theft in 2013, according to a survey by the Ponemon Institute released in September. That's a 19 percent increase over the previous year. "Medical identity theft is the fastest growing component of ID theft," says Drew Smith, founder and CEO of InfoArmor, a provider of business-to-business identity theft solutions.
The latest case involves the alleged theft by Chinese hackers of 4.5 million medical records from Community Health Systems, a company that runs 206 hospitals in 29 states. Thieves stole records including names, addresses, birth dates, telephone numbers and Social Security numbers.
Like any type of identity theft, medical ID theft can damage your credit and cost you hours of hassles trying to clear it up. But it could also endanger your life if incorrect information appears on your medical records.
Why the bull's-eye? Health information is easier to hack than credit. In April, the FBI issued a private industry notification warning to health care providers that their data networks are not as robust as those in the financial and retail sectors, and "the possibility of increased cyberintrusions is likely."
Safeguards are in the works, but the move to electronic records and the health exchanges set up under the Affordable Care Act, otherwise known as Obamacare, have opened new opportunities for fraud, both online and off.
Experts say Americans can expect to see medical fraud heat up again in the months before open enrollment for 2015 government-subsidized insurance begins in November 2014.
Your medical ID: black market gold
Why would hackers bother with health insurance when they could get a direct line to your pocketbook via credit cards or financial accounts? "It's very lucrative," says Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance. "Stolen protected health information can be monetized for a much greater value than traditional financial account information."
A complete medical identity -- including name, address, phone number, Social Security number, medical insurance information and access to medical records -- is worth about $50 on the black market, says Michael Bruemmer, vice president of Experian's Data Breach Resolution group. "Without medical or insurance information, that drops to about $10 for someone's stolen information."
Bruemmer's group helped resolve 1,000 health care client breaches last year, including the largest breach of HIPAA, the Health Insurance Portability and Accountability Act.
Medical identity theft usually happens on a large scale, with hundreds or even thousands of identities stolen at one time. Once hackers have a medical ID, they can use it to procure prescription drugs or expensive medical equipment or simply to commit financial fraud -- often for months or years before anyone notices.
Why? Partly because people don't pay much attention to their medical or insurance records. While most of us wouldn't let a bank or credit card statement go unread, we tend to ignore the explanation of benefits (EOB) issued by our health insurance after we have a doctor's appointment or medical procedure.
'Friendly' fraud common
More than half of all medical identity theft is what's known as "friendly fraud" or "a victimless crime," according to the Ponemon Institute study. A typical example: an uninsured sibling or friend borrows your insurance card for a procedure, with or without your permission.
In 2013, the Medical Identity Fraud Alliance interviewed 800 victims of medical fraud. When asked what they would do differently, half said nothing. "Especially with the Robin Hood or 'victimless' crime, most people don't think there are consequences," says Patterson. "They say it's no big deal."
Yet there is no such thing as victimless medical identity theft. "If your sister has allergies that you don't have or a different blood type, her allergies and blood type are now comingled in your records," Patterson says. If you're unconscious and need an emergency transfusion or injection, that misinformation can kill you.
That kind of consequence comes, in equal measure, from both friendly and malicious medical identity theft, yet we continue to be lax about sharing our health information. "As a society, we just look at health in a very different way than we look at our finances," Patterson says.
Detecting medical fraud before it hurts you
Sometimes it takes a questionable medical bill to alert someone of a compromised medical identity, but even that doesn't always do the trick. Many people simply ignore such bills from their insurance companies. By the time a red flag goes up, your insurance may have been used to procure prescription drugs, black-market medical equipment and emergency room visits.
The consequences can be expensive. The Ponemon Institute found that 36 percent of medical ID theft victims pay to resolve the issue, and their out-of-pocket costs average nearly $19,000. Even if you don't end up paying out of pocket, such usage can wreak havoc on both medical and credit records, and clearing that up is a time-consuming headache.
That's because medical records are scattered. Unlike personal financial information, which is consolidated and protected by credit bureaus, bits of your medical records end up in every doctor's office and hospital you check into, every pharmacy that fills a prescription and every facility that processes payments for those transactions.
Bruemmer expects that will change soon, with more progressive states raising the bar. "California, in particular, has the most stringent standard for what constitutes a medical or health care breach," he says. If an individual's username and password is compromised on a health care portal there, the provider is required to notify him or her within five days, Bruemmer says.
"I actually think that's the way the industry is going and there will be more regulations across more states," Bruemmer says.
Compiling a composite identity for the big scam
One small breach of information here and there may not seem like much, but each one could be adding up to something serious. "Five years ago, most hackers were looking for Social Security numbers, credit card numbers. They were going for the quick, easy fraud," says Smith. "Today, they're looking to steal someone's health credentials, insurance information, credit card account passwords, so they can continue to monetize victims' identities over a longer period of time."
"Thieves are getting smart," Bruemmer agrees. "One organization may take a username and password, another your credit information, another your Social Security number. The last one may actually get your medical records. What they're doing is amassing, in three or four incidents over a period of time, the full identity stream."
Bruemmer says, for example, that thieves often use hacked email accounts to gain personal information. "People say, 'Oh, it's just the username and password for my email account, I'll just change that.' You'd be surprised how many people forget and let it go. Then, all of a sudden, something really bad happens."
As with any organized crime, fraudsters jump from one channel to the next, as each locks down. "In the financial world, they jumped from hard checks to electronic to online banking, and now mobile fraud," Patterson says. "Now they're jumping from traditional financial channels into health care channels."
Like the RAM-scraping in 2013's big retail breaches, online medical fraud has become more sophisticated in recent years. Yet old-fashioned huckstering is alive and well. In July, the owner of NC Behavioral Health and Counseling Services of Durham, North Carolina, was indicted for health care fraud, identity theft and 13 other criminal charges after submitting bogus claims for at least 56 clients. Court records allege that instead of covering medical services for the patients, the owner spent the $1 million she received from Medicaid on a Cadillac Esplanade, a Mercedes and a swimming pool.
New fraud opportunities courtesy of Obamacare
Obamacare and the expansion of Medicaid have opened up a whole new stream of opportunities for fraudsters, experts say. In June, a backpack was discovered on a street in Hartford, Connecticut, near the Access Health CT exchange. Inside were four notepads containing the Social Security numbers of 151 people enrolled in Connecticut's Obamacare exchange.
"There are so many opportunities out there to defraud people," says Dennis Jay, executive director of the Coalition Against Insurance Fraud. "You're dealing with populations that are new to insurance and don't understand the dangers of selling a Medicaid number or sharing a health ID number."
Just before the rollout of Obamacare, roving gangs began knocking on doors in lower-income neighborhoods, requesting health information they said was needed to expedite the new health plans. "People gave it out," Jay says. He expects that kind of fraud to pick up as the open enrollment period for 2015 coverage through the health insurance exchanges nears.
The expansion of Medicaid accompanying Obamacare has led to similar door-to-door solicitations, he says. "The Medicaid expansion also concerns us because there are roving gangs that will pay you to share the numbers with them," Jay says. "Once [fraudsters] have those numbers, they know they're golden. A lot of Medicaid systems won't detect it for many months and there could be tens of thousands or even tens of millions gone before that happens."
It's too early to measure the impact of the health exchanges set up under Obamacare and the sharing of health records online. "We haven't even seen how secure those sites are," Smith says. "But given the problems they've had, it would be surprising if we don't see identity theft bump up over the next couple years because information has been compromised."
What you can do to keep your medical identity safe
• Be vigilant about your personal information. Shred all documents with any kind of sensitive information and change your passwords on a regular basis. "Don't use the same password on multiple platforms," Bruemmer advises, "particularly health care platforms, financial institutions, government records."
• Don't share health information with solicitors or phishers. Steer clear of links in emails that request that information online. Don't give out your information over the phone to someone claiming, for example, to represent your insurance company. Don't give it to anyone who appears at the door, either. A common scam now, according to Jay, is to knock on doors asking for medical information to renew an Obamacare policy.
• Avoid sharing sensitive information. Even health care providers sometimes over-reach. Many automatically ask for your Social Security number. "In many cases, they don't need it but it's the default question," Bruemmer says. "As rule of thumb, don't share anything of a personal nature with a health care provider that you wouldn't consider sharing with your neighbor."
• Read that EOB, preferably via email. An Explanation of Benefits from your insurance provider is not exactly easy reading, but it's worth more than a scan -- and the sooner, the better. "I encourage people to get their explanation of benefits via email," Smith says. "They come through much faster, instead of getting lost in the mail. Anything you can do to monitor your EOB is a great start."
• Move quickly on breach notifications. If you get a letter from a health care provider saying your health care information has been exposed, read it carefully and follow the instructions immediately. Such letters usually offer helpful tips on how to protect yourself and take advantage of free services provided.
• Check credit reports and medical records regularly. You can access each of your credit reports from the three major credit bureaus for no cost once a year at AnnualCreditReport.com. Evidence of medical identity theft often shows up there in the form of unpaid medical bills. You also have the right to review your medical records. Any time you have a medical procedure or visit a new physician, you should request and review a copy of your records.See related: Familiar fraud: When family and friends steal your identity, Study: Data breaches pose a greater risk, Data breach protection: 10 tips