Controlling medical identity theft and fraud

Rising rates of medical identity theft raise serious concerns for program integrity and health insurance customers. To learn about responding effectively to this threat, FierceHealthPayer: Anti-Fraud spoke to Ann Patterson (pictured), senior vice president and program director of the Medical Identity Fraud Alliance (MIFA). MIFA is a cooperative public and private sector effort created to unite stakeholders in developing solutions and best practices to prevent, detect and remediate medical identity fraud.

FierceHealthPayer: Anti-Fraud: What can you tell us about the growth and effects of medical identity theft and fraud?

Ann Patterson: Between 2012 and 2013, the number of medical identity theft victims grew by 19 percent, according to results of a Ponemon Institute survey. That's a large year-over-year jump. Correlating that to the overall population, 1.8 million people were victimized or in some way affected by medical identity fraud. That works out to more than 300,000 new victims in 2013, representing about $12 billion in out-of-pocket costs. The Identity Theft Resource Center reported that as much as 43 percent of the identity theft they track is medically-related.

FHPAF: What factors contribute to increases in medical identity theft and medical identity fraud?

Patterson: Fraud jumps channels as the product delivery mechanism progresses with technology. Anything relating to mobile communications or the internet is going to become a risk. It's becoming pervasive for providers to store electronic protected health information, but it's hugely pervasive from a patient standpoint as well.

Think of all the websites people visit for advice when they have health symptoms. They go online, enter personal data and open an account, and the site returns medical feedback. In the health and fitness world, people track their diet, weight or health conditions on websites offering health management advice. People don't think about it, but these behaviors add to their cyber health identities and electronic health records.

Another contributing factor is that the monetary value of protected health information (PHI) is increasing based on supply and demand. Law enforcement is seeing a rise in medical fraud as perpetrators move into healthcare. As they do, the value of PHI on the black market increases. If criminals steal these data, they can sell them at a much higher cost than banking credentials, for example.

The impact of the Affordable Care Act is another contributing factor. As more people become insured, more electronic health records are created. So there are more identities to manage electronically.

Keep in mind that as we move into an electronic health records world, the healthcare ecosystem grows exponentially. It used to be that you went to your doctor, he charged for something and you wrote him a check. Now the doctor might bill an insurer, so your information goes to a third party. If the insurer electronically transmits payment information, maybe there's a financial institution involved, so there's fourth party.

All points of contact for health information should have high standards for data protection. But everyone in that chain isn't equally aware of medical identity fraud. That becomes another contributor to the problem.

FHPAF: What trends in medical identity fraud should health insurers know about?

Patterson: Cyberattacks have doubled since 2010 in the healthcare provider industry. So if you're not paying attention to that particular attack vector, then you need to because that's where fraudsters are going. Certainly it's easier for them to commit electronic fraud than it is to break into a hospital and steal records.

With mobile devices becoming prevalent, be sure to have policies in place for mobile technology, particularly in the use of certified devices and whether you allow staff to use personal devices to connect to your network.

Another thing to look at is cloud. It's efficient, cheap, flexible and scalable. If you're considering putting PHI on the cloud, how do you secure the information?

Another trend to watch is how consumer behaviors change. With Facebook and Twitter, people have become comfortable giving away their information. There's a fairly high level of comfort with reduced privacy. Many people don't understand yet that they need to protect their medical identity. Insurers should take this into account as they put controls and policies in place.

FHPAF: How can insurers engage greater numbers of customers in the fight against medical identity fraud?

Patterson: Look at the banking and finance industries for lessons learned. If you go to a bank, the messaging about fraud is pervasive. You may see a poster at your branch office with information about protecting yourself online. When was the last time you saw that when you went to your doctor's office or a hospital or when you filed something with your insurance company?

There's a steep learning curve on the consumer side. Messages such as change passwords frequently, don't disclose health insurance information unnecessarily and don't share it with others are all valuable.

Help customers understand the effect of commingling their PHI with another's. This is a fairly unique hook insurers can use to educate customers. Ask them, "What if you go to the hospital and your records are commingled with somebody else's? What if you're unconscious and transfused with the wrong blood type?" The seriousness of medical identity fraud should be a significant angle in consumer education.

FHPAF: Knowing health insurers store and work with high volumes of protected health information, what do insurers most need to know and do to fight medical identity fraud effectively?

Patterson: Approach medical identity fraud holistically. Don't just delegate the issue to an investigations unit to remediate after the fact.

Involve a chief information security officer in the work. Between the CISO and the SIU, you've covered the spectrum of your enterprise ecosystem. What happens to the data from the time that they're recorded, to the time they potentially might get hijacked, to the time they get used to commit fraud. Look at the whole chain, where all components work together.

To be really effective, create a cross-disciplinary team responsible for medical identity fraud prevention. The team should meet regularly to discuss how data are handled and what happens to them down the chain. Consider involving medical staff, human resources employees, appeals people and data administrators who generate and send paper or electronic explanation of benefits forms. Look at how hard copies are protected in transport and at rest. And don't forget to include the mail room supervisor, since mail fraud is old fashioned but still a very active fraud. People get PHI through the mail all the time.

FHPAF: Do you have any other insights, tips or information on this topic?

Patterson: Knowledge is power. The more people know about medical identity theft as consumers, insurers and providers, the stronger the healthcare ecosystem will be. The main tip is to be very passionate about your education and awareness efforts.

Editor's Note: This interview has been edited and condensed for clarity.

For more:
- see MIFA white paper entitled The Growing Threat of Medical Identity Fraud: A Call to Action (.pdf)
- read the Ponemon Institute's 2013 medical identity theft report