Health industry struggling to keep up with growing ID theft problem

The rise in medical identity theft in the U.S. in recent years--and in particular, theft involving a breach in technology--has been swift and has left many concerned about the effectiveness of privacy regulations, according to a recent Stateline report.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," Washington, D.C.-based health attorney James Pyles--who has worked on privacy measures both for HIPAA and the HITECH Act--told Stateline. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

According to a recent survey published by Identity Theft Resource Center--a San Diego, Calf.-based nonprofit--more than 40 percent of all records breaches involving personal information nationwide were of the medical variety in 2013, Stateline reported. That number exceeded breaches that took place in various other industries, including banking, the government and education.

What's more, the article noted, according to the U.S. Department of Health & Human Services, more than half of all medical-related breaches were the result of a stolen computer or electronic device.

Despite the high-tech theft taking place, though, many providers ultimately have relied on the word of employees and others who gain access to such information to ensure privacy protection, according to Stateline. For instance, at a Vermont hospital cited in the report as an example, two data breaches that took place involved employees either stealing equipment or accessing data without permission.

In addition to HIPAA and HITECH, covered entities now also face potential regulatory action from the Federal Trade Commission. The agency, last month, disagreed with Atlanta-based medical testing laboratory LabMD that the company was not subject to FTC security enforcement since it already was considered a covered entity under HIPAA.

"I think the FTC is going to become a more active player where enforcement is concerned," Jeff Smith, director of federal relations for the College of Healthcare Information Management Executives, told FierceHealthIT via email. "The FTC is already active in monitoring mobile application marketing practices in healthcare [and] medical identity theft, and the case in question underscores their intentions to flex their muscle where information and data security compliance is concerned."

According to analysis recently published by IT security audit firm Redspin, more than 7 million patient records were breached last year, an increase of 138 percent from 2012; the report analyzed breaches recently reported to HHS.

To learn more:
- here's the Stateline report