With each passing week, it seems, news hits of another major hack on a health system, insurance company, or the government. From the UCLA Health breach with 4.5 million victims to Anthem with 80 million victims, the Washington Post declared 2015 the “year of the health-care hack” – and it shows no sign of abating. These intrusions have compromised sensitive personal data on a massive scale: Social Security numbers, health information, payment information, passwords and more. Experts are now advising people to assume their information is already compromised and to take proactive steps to minimize the potential damage: according to the government and other watchdog groups, more than one third of people in the United States have had their information exposed in a healthcare breach since 2009.
When thieves gain access to your health insurance information or medical records, they can do several things: purchase goods online with a fraudulent line of credit, buy medical equipment with an intent to resell it, or purchase medical services for other people under your name. The first two crimes are more everyday financial crimes that can be addressed. However, if a thief uses your insurance policy to give someone else access to medical care under your name, that has the potential to corrupt your medical record with false information.
Some hacks, including the Anthem one, have exposed Social Security numbers. Those nine digits are the master key to just about every financial account or government record you have. The key thing to understand about a Social Security number hack, as opposed to a credit card hack, is that you must remain vigilant for your entire life after the breach: people almost never get issued new Social Security numbers – if the government did so, about half the nation would be eligible.
So what should you do in the first few hours after being alerted to a data breach at your health insurance company or healthcare provider?
- Place a fraud alert on your credit report and start active monitoring
When your Social Security number is compromised, time is of the essence. You should first contact the three main credit bureaus (Equifax, Experian and Transunion) and request a fraud alert for your credit report. However, don’t rely just on an automated fraud alert to detect all unauthorized charges or new credit lines. Beyond the services offered by the credit bureaus, consider using a third-party monitoring service or the one that might be offered for free by the insurance company or provider that was hacked in the first place. For example, when Anthem announced that 80 million customers’ information was compromised, it provided a new credit monitoring service immediately.
- Keep an eye on your insurance bills for fraudulent claims
Annual reports from the Ponemon Institute, a data security research firm, show that the volume and out-of-pocket impact of medical identity theft is growing each year. Bloomberg analysis of the report showed that “…a third of those who had their identity stolen said they incurred out-of-pocket costs averaging more than $18,000 in legal expenses, credit-reporting fees, medical services because of a lapse in health insurance, and payments to health-care providers for services provided to the impostor in their name.”
It is dead simple for an identity thief to use your insurance number and other basic information to access health services, purchase medical equipment or fill prescriptions – and the charges will go directly to your insurance company, and from there to your pocket. The best (and perhaps only) way to ensure that someone doesn’t use your medical identity to run up bills is to track your insurer’s medical claims closely. Insurers generally make claims and payment information available online or through the mail, so use those resources to the fullest.
- Remain vigilant as time goes on
Since health data breaches often involve thousands or millions of customer records, it might take some time before your information is actually used for fraudulent activities. Therefore, make an effort to keep a close eye on your credit reports and medical claims data for years to come. Life gets busy, so consider a system, perhaps of automatic reminders, to keep this issue top of mind. Catching fraud soon after it happens gives you the best chance to fix things.
You might be thinking: how can we accept a status quo where almost all of our personal, health and financial information is compromised at all times? Does that defeat the purpose of having private information at all? You are right to ask these questions, and the answers are not simple. The nation’s health information technology infrastructure has insufficient security standards and thousands of entry points, from your local doctor’s office or pharmacy to the big hospital system downtown. The problems are likely to spread even more as health information systems become more “interoperable” – or able to talk to each other and share data seamlessly.
Just as in other industries, such as how the financial world is adopting chip technology to make credit cards less susceptible to fraud, leaders in healthcare information technology should place a top priority on security and assemble multi-disciplinary teams to drive new solutions. Our health information is too precious and valuable to accept anything less.
NOTE: The views expressed here are those of the author and do not necessarily represent or reflect the views of Healthcare, Inc. and HealthCare.com.