Preventing Insider Medical ID TheftRecent Cases Spotlight Fraud Risks
Three recent identity theft incidents highlight the need for healthcare organizations to stay vigilant in preventing fraud involving insiders.
See Also: Rethinking Endpoint Security
The incidents include:
- A Louisiana case involving the arrest of seven individuals, including a former hospital billing worker who allegedly used patient information for the creation of fake checks and IDs;
- A Florida case involving a former hospital emergency department clerk who allegedly accessed more than 760,000 patient records to sell information for profit;
- A Texas case involving a former state employee who allegedly used patient immunization information to apply for credit cards online.
Security experts say healthcare organizations can take several steps to help minimize the risk of identity theft. Those include auditing and monitoring worker activity, restricting staff access to patient information and ramping up employee training.
The Identity Theft Resource Center also is offering advice on fraud prevention (see: ID Theft: 2013 Top Concerns).
In the Louisiana case, a former billing worker at LSU Hospital System allegedly used copies of scanned checks from a database and other patient information, including Social Security numbers, to create fake checks and IDs used by others, according to Louisiana State Police.
So far, the incident has affected 416 patients from several states. But that number might rise as LSU and state police continue their investigations into the matter, an LSU spokesman tells HealthcareInfoSecurity.
The organization is reviewing all procedures and policies in the wake of the incident, the spokesman says. "Nothing new has been implemented yet, but it's a matter of time before new procedures are put into effect."
A Louisiana State Police spokesman told HealthcareInfoSecurity: "ID thefts are increasingly common, but what makes this case different is that so many individuals were involved and so much information came from a hospital database. You don't usually see that in counterfeit check cases."
In the Florida case, a former Florida Hospital Celebration emergency department registration worker and his wife, who worked as an insurance representative at the hospital, were arrested last year and pleaded guilty to charges that included conspiracy to obtain health information.
The former clerk allegedly used a computer in the emergency department to inappropriately access electronic health records for more than 760,000 patients in several Florida Hospital locations, looking for information about individuals involved in motor vehicle accidents so that they could be solicited for chiropractic and legal services.
Authorities alleged the former clerk sold the patient information to a third person, who pleaded guilty Jan. 7 to federal charges of information theft (see: Selling Records for Profit Alleged.)
But it's not just hospitals that are vulnerable to these sorts of insider ID thefts. A former worker at the Texas Department of Health and Human Services was charged this month with identity theft after allegedly using information from patient immunization records to apply online for credit cards, according to a statement from the Titus County Sheriff's office . "The list of individuals that had their information stolen is still growing and we believe it to be in the hundreds," the statement notes.
A search of the suspect's residence recovered some of the property that the suspect purchased with the fraudulent credit cards, along with immunization records and other documents with patient or family members' names and Social Security numbers, according to the statement.
A Texas Department of Health spokeswoman told HealthcareInfoSecurity: "We are working closely with law enforcement to investigate the situation and will be notifying potential victims as soon as possible. The list of potential victims may be incomplete, so we are urging anyone who received services at the clinic to be on the lookout for fraud. ..."
Medical identity theft cases are relatively common, one recent survey shows.
A survey of 80 healthcare organizations conducted by research firm Ponemon Institute finds that 52 percent had one or more incidents of medical identity theft over the past 12 months.
Only one-third of those surveyed say they have sufficient controls in place to detect medical identity theft (see: Reports: Costly Data Breaches Persist).
One important step healthcare organizations can take to help prevent ID theft is to monitor employee computer activity on a regular basis, especially to detect unusual or inappropriate access, transmission, or printing of patient information, says David Harlow, a healthcare attorney and founder of The Harlow Group LLC consulting firm.
Healthcare should follow the lead of the financial services industry and consider requiring employees to take two weeks of annual vacation so that the organizations can use that time off to audit the workers' activity, he says.
Hospitals, clinics and others also should limit access to patient information based on job duties, he stresses. "That might include dividing information up so that no one person has all the information that might be used for fraud," he says. For instance, an organization could make Social Security numbers inaccessible to workers in the billing department.
Ron Raether, a partner at law firm Faruki Ireland & Cox P.L.L., suggests that information systems be configured to enforce role-based access to data and boost HIPAA compliance. "An ER admissions worker shouldn't have access to patient treatment information," he says. "[Controls] should be baked into third-party software, and if it's not, then the hospital should ask for it," he says.
Chris Hourihan, lead research analyst at the Health Information Trust Alliance, says that even if technology is available to help control employee access to patient data, healthcare organizations often don't tap those capabilities. For example, while employee access to patient data should be role-based, "a lot of hospitals don't take the time to look at how granular data control should be," he says.
Training and re-training of employees also is a critical ID theft deterrent, Harlow adds. "This highlights the rules and regulations - including consequences and penalties for inappropriate or illegal activity."