Healthcare data hacks: The next great conduit to fraud

Last week the U.S. Senate rushed out for its August recess like a second-grader on the last day of school, once again leaving behind cybersecurity legislation unattended and unfinished.

Part of the reason was the usual political gamesmanship of attaching bills to other bills and/or ransom notes, a negotiation tactic in which everyone eventually just kind of throws their hands in the air and walks away from the whole thing.

The other part of it is cybersecurity is relatively uncharted territory, which means legislators aren't sure how to address it. The bill in question, known as the Cybersecurity Information Sharing Act, was contentious, particularly among privacy advocates.

Perhaps more importantly, in its current form, it's completely ineffective. As Robyn Greene, policy counsel for the New America Foundation's Open Technology Institute points out, the bill protects companies against individual lawsuits, offering no suitable incentive to safeguard customer information. Furthermore, Greene contends that the bill would have done nothing to actually prevent some of the major data breaches this year, including the 80 million members exposed in the Anthem hack.

It's clear that cybersecurity is becoming one of the fastest growing concerns for both public and private sectors, spanning multiple industries. For healthcare entities—both payers and providers—the continuous stream of data breaches should be particularly frightening.

Last month, a whitepaper by the software company Symantec indicated that the Anthem hack could be traced back to a cyberespionage group that the company dubbed "Black Vine." Symantec added that the group is capable of targeted breaches and that the history of the group indicates that it will continue to focus on the healthcare industry. Around the same time, HealthFirst disclosed that a data breach exposing personal health information of 5,300 members was linked to a criminal fraud scheme.

This is just the latest in a year that has been rife with data security concerns. It's easy to see why healthcare is a prime target for criminal hackers. Put simply, health information is worth more, often going for 10-20 times more than credit card numbers on the black market. You can cancel your credit card. Your social security number? Not so much.

And from a simple business perspective, the return on investment is unmatched. That information can be used to orchestrate elaborate fraud schemes that cost private insurers and the government millions of dollars.

As the Wall Street Journal pointed out last week, the consequences of fraud schemes involving medical identity theft are devastating, as victims devote years of their life fighting off fraudulent medical bills for care they never received, or in some cases, trying desperately to remove someone else's health information from their medical file, like a drug allergy, which could be life threatening.

In many cases, victims have virtually no recourse to contest improper payments or care provided under their name. The Fair Credit Reporting Act limits the financial damage that one can iccur as a result of stolen financial information, but there are no such protections when it comes to health information, leaving victims of fraud grasping at thin air.

For all these reasons, cybersecurity has become the next great frontier for fraud prevention, similar to the way power wheelchair fraud schemes dominated the headlines in the mid-1990s, and Part D fraud has emerged within the last decade. But it's a problem that is more widespread, and arguably more detrimental. Gone are the days where fraudsters had to pay off patient recruiters for Medicare beneficiary information. Now there's a new easily accessible marketplace. Think of it as buying from Amazon rather than Walmart, except slightly more sinister. 

It's easy to connect the dots between these healthcare hacks and the potential for widespread fraudulent billing. Without the appropriate barriers to better protect that information, both payers and beneficiaries are vulnerable to multimillion-dollar fraud schemes.

If that alone doesn't make payers nervous, the civil lawsuits against Anthem should. Claimants argue that stolen information was used to purchase coverage in other states or open up lines of credit, but Anthem counters that the FBI is closely monitoring the black market to see if any beneficiary information changes hands, which essentially absolves the company of liability.

"Despite allegations to the contrary, there is no evidence that the cyber attackers have shared or sold any individuals' data; and there is no evidence that fraud has occurred against any individuals who could have been impacted," Anthem spokeswoman Kristin Binns told the Indianapolis Business Journal.

She forgot one word: Yet.

More to the point, Anthem's perspective misses the intent of cybersecurity entirely. Protected health information should be just that: Protected. Relying on the FBI to track pilfered health information is like stopping bank robberies by finding out where the stolen cash was spent. Once it's gone, the damage is already done.

Congress will eventually pass a cybersecurity bill, despite all the political infighting and hostage-holding. Whether it is effective or not remains to be seen. Either way, fraud fighters and health insurers should be front and center in this discussion, or risk realizing that their fraud prevention efforts are vastly outmatched by the emerging schemes. - Evan (@HealthPayer)