Faulkner: “Umbrellas in a Tornado”
Posted February 11, 2015
ThreatMetrix’s Alisdair Faulkner Is Joined by Other Security Experts Who Offer Views on Many Aspects of the Health Data Breach Menace
On the utility of credit monitoring, Alisdair Faulkner, ThreatMetrix chief products officer, wryly observed to Maria Korolov for her story on csoonline.com, “Credit monitoring for a breach of your identity data, medical or not, is like handing out umbrellas in a tornado.”
And, of course, the consequences of a stolen ID to a patient and his/her family could be catastrophic both medically and monetarily. Faulkner adds, “If I’m a criminal, I can either try to apply for a credit card with a limit of a few thousand dollars, or I can use your identity to access or bill for healthcare worth hundreds of thousands of dollars. How long until we see people being bankrupt by procedures they didn’t have, or doctors making the wrong call in a medical emergency due to false medical history?”
The most recent Ponemon study on the subject says that 1.8 million Americans or their close family members were victims of medical identity theft with 36 percent facing significant out-of-pocket expenses. Some victims had to pay full price for medical services or medicine because their medical insurance lapsed. Or they had to pay for costs incurred by cybercriminals. The average price tag? $18, 660.
In her csoonline.com article, in addition to Faulkner, Maria Korolov tapped a number of experts for their input on medical ID theft and fallout from the Anthem breach. The following has been excerpted from her story and edited to fit our format. You may find the full article by clicking on this link.
On your record
“If someone gets your medical identity, and uses that to get medical goods, services, prescriptions — everything they do goes on your personal health record,” said Bob Gregg, CEO at Portland, Ore.-based ID Experts, which provides medical identity monitoring services. Then, the next time you’re unconscious in the emergency room, the doctor won’t just see your medical history, but that of the fraudsters as well. “Suddenly, all your preexisting conditions are incorrect,” he said. “Allergies, drug interactions.”
A potential victim’s view
Claudia Gere, an author consultant based in Massachusetts, was one of the 80 million affected by the recent Anthem breach. She said that learning of the breach made her feel vulnerable and scared. “When I need to get medication in an emergency and I find that my account has been closed for lack of payment or whatever reason… I think I would be able to dispute the charges,” she said. If it took three months to sort things out, she said, she’d be able to cover her current medications out-of-pocket. “But for a lot of people, it could be more than an inconvenience,” she said. “It could be life threatening.”
According to Anthem, the data stolen includes names, dates of birth, member ID and social security numbers, addresses, phone numbers, email addresses and employment information. “That data could definitely be used for billing fraud,” said Andrew Hicks, healthcare practice Lead at Denver-based Coalfire Labs.
Black market big on medical ID info
In fact, medical identity information is significantly more valuable than credit card numbers or social security numbers alone. According to the World Privacy Forum, the former has a street value of around $50 — compared to a street value of $1 for the latter. And the average profit per record is $20,000 — compared to just $2,000 for regular identity theft.
“Generally, prices for stolen health coverage data are an order of magnitude greater than for compromised payment card data,” said Don Jackson, director of threat intelligence at Charleston, SC-based PhishLabs.
Takes twice as long to spot med. info. fraud
One reason, according to an EMC white paper about healthcare cybercrime, is that medical information fraud takes twice as long to spot, and is difficult to address.
Difficult to repair
Bank accounts can be easily closed, and credit cards re-issued, but correcting medical records is a far tougher challenge.
The World Privacy Forum has a list of tips for consumers, which include requesting copies of insurance billing records on a regular basis, filing police reports when there are fraudulent charges, and taking steps to correct the records when discrepancies are found. However, the organization admits that some of this can be difficult — in particular, police departments may not even accept a report on crimes outside their jurisdictions.
Insurance companies miss fraudulent transactions
Meanwhile, many insurance companies do not have the kind of monitoring that credit card companies do to catch unusual behaviors or fraudulent transactions, said ID Experts’ Gregg.
Criminals take advantage
According to Gregg, there are three main ways that criminals take advantage of this. There’s the classic medical identity theft where fraudsters print up fake IDs and get medical care on your dime.
Then there’s a more profitable billing fraud industry, where fraudsters set up fake clinics and bill your insurance provider for services and treatments you never received.
“It’s like having a credit card that you can use to the limits of your policy, which is usually measured in the millions of dollars,” he said.
Finally, your medical information can be used to order prescription drugs, which are then resold on the street for a steep markup.
“There are online pharmacies basically set up as pill mills,” he said.
They don’t care if the prescription itself is valid — as long as the billing information is correct.