In his book, “Scam Me If You Can,” fraud expert Frank Abagnale relates the case of a 5-year-old boy whose pediatrician’s computer was hacked, compromising his name, birth date, Social Security number, insurance information, and medical records. The result was a bureaucratic nightmare that may well continue for the rest of that unfortunate young patient’s life. One can only speculate on the difficulties he might have as adult in obtaining a line of credit, or in proving his medical identity to physicians and hospitals.
tomprout/E+
– your Social Security number, bank account numbers, etc. – sells for about $25 on the black market; add health insurance and medical records, and the price can jump to $1,000 or more. That’s because there is a far greater potential yield from medical identity theft – and once your personal information and medical records are breached, they are in the Cloud for the rest of your life, available to anyone who wants to buy them. Older patients are particularly vulnerable: Medicare billing scams cost taxpayers more than $60 billion a year.
If your office’s computer system does not have effective fraud protection, you could be held liable for any fraud committed with information stolen from it – and if the information is resold years later and reused to commit more fraud, you’ll be liable for that, too. That’s why I strongly recommend that you invest in high-quality security technology and software, so that in the event of a breach, the security company will at least share in the fault and the liability. (As always, I have no financial interest in any product or industry mentioned in this column.)
Even with adequate protection, breaches can still occur, so all medical offices should have a breach response plan in place, covering how to halt security breaches, and how to handle any lost or stolen data. Your computer and security vendors can help with formulating such a plan. Patients affected by a breach need to be contacted as well, so they may put a freeze on accounts or send out fraud alerts.
Patients also need to be aware of the risks. If your EHR includes an online portal to communicate protected information to patients, it may be secure on your end, but patients are unlikely to have similar protection on their home computers. If you offer online patient portal services, you should make your patients aware of measures they can take to protect their data once it arrives on their computers or phones.
Patients should also be warned of the risks that come with sharing medical information with others. If they are asked to reveal medical data via phone or email, they need to ask who is requesting it, and why. Any unsolicited calls inquiring about their medical information, from someone who can’t or won’t confirm their identity, should be considered extremely suspicious.
We tell our patients to protect their insurance numbers as carefully as they guard their Social Security number and other valuable data, and to shred any medical paperwork they no longer need, including labels on prescription bottles. And if they see something on an Explanation of Benefits that doesn’t look right, they should question it immediately. We encourage them to take advantage of the free services at MyMedicare.gov, including Medicare Summary Notices provided every 3 months (if any services or medical supplies are received during that period), to make sure they’re being billed only for services they have received.
Dr. Joseph S. Eastern
Your staff should be made aware of the potential for “friendly fraud,” which is defined as theft of identity and medical information by patients’ friends or family members. (According to some studies, as much as 50% of all medical identity theft may be committed this way.) Staffers should never divulge insurance numbers, diagnoses, lab reports, or any other privileged information to family or friends, whether by phone, fax, mail, or in person, without written permission from the patient. And when callers claiming to be patients request information about themselves, your employees should be alert for “red flags.” For example, legitimate patients won’t stumble over simple questions (such as “What is your birth date?”) or request test results or diagnoses that they should already know about.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News. Write to him at dermnews@mdedge.com.