Medical identity theft is increasing due to HIPAA violations by rogue employees, according to an article in Data Breach Today, because many companies either don't know what their people are up to or aren't using tools to monitor staff effectively.
Over 7 million patient records were breached last year, an increase of 138 percent from 2012, as FierceHealthIT reported.
Cases in point: Two hospital registrars reportedly accessed records of 250 patients without a business need to do so, leading to patient solicitations by medical mill healthcare providers. And a Florida emergency department employee pleaded guilty to charges of conspiracy and wrongful disclosure of identifiable information after accessing records of 763,000 patients and selling information on about 12,000 of them. The information was used to solicit legal and chiropractic services for people involved in car accidents, the article noted.
"Traditional audit tools, those that focus on rules, are not sufficient generally to catch this type of activity," security expert Mac MacMillan told Data Breach Today, "particularly if the information viewed was something the perpetrator would have access to normally."
Identity theft victims lose over $22,000 on average, according to Daily Finance. It can take over a year to dispute charges, correct medical records and repair credit damage. Further, some victims lost health insurance after criminals racked up claims expenses topping lifetime maximums.
To enhance information security in your organization, an American Bar Association Journal article recommends recognizing four types of employees who put medical information at risk:
- The security softie, who lets family members use an employer's computer at home
- The gadget geek, who plugs many devices into an employer's PC
- The squatter, who uses corporate IT resources improperly
- The saboteur, who hacks into restricted areas or purposefully infects the network
Also consider these expert-recommended prevention tactics from the ABA Journal: Train staff to maintain information security. Implement limited access and least-privilege policies. Secure information shared with third parties. Keep systems up to date and have a security assessment performed by an outside vendor. Encrypt all data, and require employees to change passwords regularly.