Senators Want ID Theft Answers from HHSLetter Demands Details on Efforts to 'Support and Protect' Victims
In the wake of massive health data breaches, four U.S. senators are demanding that the Department of Health and Human Services provide details about how it tracks medical identity theft and fraud and how it assists victims.
While privacy and security experts say the ID theft issue deserves to be in the spotlight, one argues that there's relatively little HHS can do to address the issue, given its limited resources and mission.
In a Nov. 10 letter to Jocelyn Samuels, director of the HHS Office for Civil Rights, and Andy Slavitt, acting administrator of the Centers for Medicare and Medicaid Services, the senators request information on how HHS is working "to support and protect victims" of medical identity theft.
"We share concerns about the Americans who are at a greater risk of medical identity theft as a result of the growing number of data breaches at healthcare organizations," says the letter signed by Sen. Lamar Alexander, R-Tenn., chairman of the Senate Committee on Health, Education, Labor and Pensions, and its ranking member, Sen. Patty Murray, D-Wash.; as well as Sen. Orrin Hatch, R-Utah, chairman of the Senate Finance Committee, and its ranking member, Sen. Ron Wyden, D-Ore.
The senators note a total of 105 million individuals this year have been affected by five large health data breaches that hit Anthem Inc., CareFirst Blue Cross Blue Shield, Excellus BlueCross BlueShield, Premera Blue Cross and UCLA Health.
"We are concerned that data theft will continue to rise and will result in an increase in medical identity theft," the senators say in their letter. They note that in addition to the potential financial and medical harm posed to victims of medical ID theft, related fraud impacts the Medicare and Medicaid programs, adding "as much as $98 billion, or nearly 10 percent, to total annual Medicare and Medicaid spending."
Requests for Information
The senators ask CMS and OCR to answer several questions by Nov. 24, including:
- What support does HHS provide to federal, state and local law enforcement officials to aid their response to medical identity theft?
- What services does CMS offer to Medicare and Medicaid beneficiaries who suspect they are victims of medical identity theft?
- Do OCR and CMS track reported cases of medical identity theft?
- Explain the effect of the recent breaches at healthcare organizations on Medicare and Medicaid programs. Has CMS observed an increase in fraud? What has CMS done to prepare for a possible increase in fraud?
- Does HHS use the data collected under the HIPAA Breach Notification Rule to monitor potential breach victims for subsequent medical identity theft?
- Does HHS track the financial and medical impact of identity theft on victims?
- What support or educational resources does HHS offer to help consumers and contractors protect against, identify and respond to medical identity theft?
- Does HHS believe that the HIPAA Privacy Rule gives a victim of medical identity theft the right to access his or her health record if it contains a thief's health information?
- Does HHS monitor the effects of data breaches at non-covered entities, such as the Office of Personnel Management, on incidence of medical identity theft?
CMS did not immediately respond to ISMG's request for comment, and OCR declined to comment on the letter.
A GOP aide to the Senate Health, Education, Labor and Pensions Committee tells Information Security Media Group, "154 million Americans - almost half of the U.S. population - have been affected by healthcare industry breaches since HHS first started tracking breaches in 2009, with more than 100 million of those occurring this year alone. This recent uptick in breaches prompted the letter, and the HELP committee is exploring having a cyber hearing sometime during the early part of next year."
A source at the Senate Committee on Finance tells ISMG that it's premature to say whether that committee might also hold a hearing on the topic.
Three privacy and security experts offered a mixed reaction to the senators' letter. While they all say the ID theft issue deserves more attention, one questions whether HHS is in a position to address the matter.
Ann Paterson, senior vice president and program director of the non-profit coalition, Medical Identity Fraud Alliance, says her organization is "pleased at the attention the senators are giving to medical identity theft and fraud."
She adds: "We're particularly pleased with the recognition that medical identity fraud is unique from traditional financial ID fraud, including potential bad health outcomes to victims which may result from their medical records becoming corrupted with health information from the identity thief, and thus experiencing misdiagnosis or incorrect treatment."
Federal agencies could do far more to address the issue of medical ID theft and fraud, Patterson contends. "I do believe the government could collect data on medical ID theft and fraud - whether HHS or another agency," she says. "Currently, the Federal Trade Commission has an ID theft hotline and offers a uniform ID theft affidavit. While many victims do not report medical ID theft to official channels, such as law enforcement and/or the FTC, with increased awareness and victim remediation support, this has potential to change."
But even if HHS or other federal agencies had the authority or resources to track medical ID theft and fraud resulting from data breaches, the task would prove challenging, Patterson acknowledges.
"It is often difficult, or sometimes impossible, for any identity fraud victim ... to know when or how their information was accessed. Even in cyber data thefts where there may be an electronic 'cyber trail' to follow, it is difficult," she says.
Centralized data collection for medical ID fraud would be useful to detect fraud trends and support law enforcement, Patterson contends.
Out of Scope?
But privacy attorney David Holtzman of the security consulting firm CynergisTek - who was formerly an adviser at OCR - says the senators' letter appears to ask questions about ID theft matters that are out of HHS' scope.
"The request from the Senate [committees] is perplexing," he says. "When Congress created the breach notification provisions of the HITECH Act, it did not grant specific authority or imply that HHS should collect specific information about individuals affected by a specific breach. Nor did Congress authorize any mechanism for tracking the experience of individuals whose information had been disclosed. With hundreds of millions of American impacted by data breaches involving HIPAA covered entities and business associates, the breadth and scope of the information collection and investigative effort that would be required by OCR far eclipses the current mission and resource capabilities provided by Congress."
When an individuals become victims of ID theft or fraud, they turn to law enforcement agencies for the investigation and criminal prosecution of those responsible for these incidents, Holtzman points out. "There are no mechanisms in place for law enforcement at the local, state and federal level to collect and report data of medical identify theft and fraud to HHS. If Congress envisions some role for the agency to track or assist individual victims, there should be legislation to give OCR authority and the fiscal resources to collect data from law enforcement on reports of identity theft or fraud."
Cris Ewell, CISO at Seattle Children's Hospital says paying attention to medical identity theft is important, but the issue presents many challenges.
"The whole identity theft area is difficult to attribute to any breach," he notes. "Currently, there is not a good mechanism to identify medical identity theft. I do agree that it would be a good discussion on how organizations could cooperate with each other to identify the use of fraudulent information to gain care. In the financial world, we did this for the credit card transactions and now this is very mature and can detect fraud with a high degree of confidence."
Unlike the financial arena, healthcare lacks a common clearing house to evaluate medical care billing transactions, he notes. "This area will take cooperation and funding to solve, but is a great topic to discuss and much needed, considering the increased hacking/IT incidents in healthcare."