Over the past several years, IT experts have been frantically directing their attention toward healthcare, clamoring for the industry to improve cybersecurity, especially as more providers transition toward electronic health records (EHRs). Just a few weeks ago, President Obama highlighted cybersecurity as one of his top priorities in his State of the Union address.
Last week's Anthem hack has brought many of those concerns to life, exposing the personal information of approximately 80 million consumers. While many have pointed to the immediate financial impact of the hack, consequences surrounding medical fraud could leave a lasting impression.
Specifically, the information obtained through the Anthem hack--names, birthdates, addresses, email addresses, employment information and Social Security/member identification numbers--opens up three distinct avenues for healthcare fraud, said Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance (MIFA) in an exclusive interview with FierceHealthPayer: AntiFraud.
First, fraudsters can use personal information to submit fraudulent bills for services that were never actually performed. Second, criminals can fraudulently fill prescriptions using the information obtained in the hack, and then resell the narcotics for street value. Finally, thieves can use stolen information to obtain care under someone else's name, potentially altering the medical record of that individual.
"You might have those situations where the billing isn't fraudulent from the doctor's point of view because he actually [provided those services], but the person receiving those services didn't have their own insurance, so they purchased a medical identity through the black market in order to gain the goods and services that they need," Patterson said.
Furthermore, these schemes could prove elusive for fraud investigators as they attempt to keep pace with criminals.
Hard to detect
A lot of the attention surrounding the Anthem hack has been devoted the possibility of financial fraud, but fraud schemes that revolve around medical identity theft are typically harder to detect and can have lasting impacts for patients and insurers. Most payers still rely on a pay-and-chase model to uncover fraud schemes, but given the amount of information that was accessed in the hack, Anthem will need to put more resources toward a proactive approach for fraud identification, Patterson said.
"I wouldn't be surprised if there is an uptick in fraud since there were 80 million records stolen--there is bound to be a certain percentage of fraud committed with those identities," Patterson said. "If that fraud happens to come through Anthem, as the health insurer that is going to pay these fraudulent claims, they are going a to be looking at that pay-and-chase type of model, and it's going to be a little bit harder to remediate fraud."
From a patient standpoint, medical identity theft can have devastating consequences on an individual's plan of care. While financial fraud can be a tremendous headache, a thief that uses stolen medical information to access care can alter that person's medical record, which could lead to the incorrect treatments or set off red flags with the DEA. This kind of fraud could take months or years to recognize, and the fallout could be overwhelming for someone who relies on his or her medical record to renew a professional license or maintain a job based on certain health conditions.
"Those kinds of things will take a while to sort out," Patterson said. "If you lose your job over something like this, it will be a devastating financial loss--but having your personal health information comingled and getting the wrong kind of treatment, that could obviously have some devastating effects on your health."
The consequences of this hack will not fall solely on the shoulders of Anthem. Fraudsters can use the stolen data to apply for new health plan coverage, just as they can open up fraudulent lines of credit.
"Once you have that kind of data, just like you would open a bank account in that person's name, you could go to Blue Cross Blue Shield or UnitedHealth and become a member of that plan and start submitting fake claims," Patterson said.
As Anthem is the second-largest healthcare insurance company in the country, there is a chance hackers were able to access the personal information of Medicare and Medicaid beneficiaries. Anthem offers Medicare Advantage, Medicaid managed care plans and subsidized insurance.The Department of Health and Human Services Office of Inspector General is investigating whether or not Medicare and Medicaid beneficiaries have been compromised, according to the Associated Press. If so, the potential breadth of fraud using stolen information could be much wider.
The same pay-and-chase model utilized by private insurers is exaggerated with Medicare and Medicaid, Patterson said. As the single-largest insurer in the country, it's much more difficult to proactively flag instances of fraud. Additionally, fraudsters recognize that Medicare covers an older, vulnerable patient population, and phishing schemes and fake phone calls often hone in on senior citizens that may be more likely to provide additional information.
The healthcare industry was already well aware of the importance of cybersecurity. The issue was emphasized in August, when a Community Health Systems breach exposed 4.5 million patient records. Although the Anthem hack is significantly larger, the two breaches have highlighted the real-world concerns of cybersecurity vulnerabilities. Now payers and healthcare providers alike will be forced to try and keep pace with criminals attempting to access medical information.
"Criminals don't have laws or rules, and they don't have a budget. They are always going to be faster they are always going to get there before everyone else does," Patterson said. "That's the challenge: When we see these breaches, to be nimble enough to keep ramping up at an exponentially faster speed so you can stay ahead of the criminals."