Cybercrime and Identity Theft: Health Information Security Beyond HIPAA
by Cynthia M. Stamer, P.C. , Member, Glast, Phillips & Murray, P.C., Dallas, TX
Recent reports of widespread identity theft and other “cybercrime” woes of Choicepoint, LexisNexis, and Bank of America, highlight the need for health industry payers and providers to minimize their exposure to personal identity theft and other cybercrime scams by employees, business partners and others.
Potential inadequacies in the identity theft and other cybercrime safeguards of payers and providers are particularly problematic in light of the growth in personal identity theft and cybercrime statistics. The practice of incurring charges or committing crimes in someone else's name (“identity theft”) and committing crimes using a computer (“cybercrime”) have reached epidemic proportions in recent years. According to the Federal Trade Commission (“FTC”), identity theft losses exceeded $47.6 billion in 2003. In 2004, FTC identity theft complaints rose 15% to 247,000 complaints, including health care fraud, insurance fraud and theft of governmental documents and benefits.
Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically. Therefore, it is not surprising that they are targets of identity thieves and other cybercriminals.
These cybercriminals use various methods to obtain information from insurance and health industry businesses and others. These methods include:
- stealing records or information while working as agents or contractors for entities that maintain or create the records for legitimate business purposes,
- bribing or duping employees or business partners with access to records,
- hacking records, stealing mail, harvesting trash, or capturing information with various data storage devices (a practice known as "skimming"), and
- posing as legitimate businesses when requesting information on the Internet ("phishing") or telephone (“pretexting”).
The thieves’ creativity and approaches continually evolve, requiring individuals and organizations to constantly update their practices.
As with other organizations, the health industry’s greatest exposure to identity theft or other cybercriminals may arise from current or former employees and business partners. Identity thieves and other cybercriminals frequently use access obtained as employees or business partners to steal personal information or perpetrate crimes. For example, in April 2002, Christopher Scott Sandusky pled guilty to three counts of Unauthorized Access to a Protected Computer in violation of 18 U.S.C. § 1030(a)(5)(A) for unlawfully accessing the computer system of Steinberg Diagnostic Medical Imaging. Mr. Sandusky committed this crime after his employer, the imaging provider’s computer system consulting company, terminated him from employment. Similarly, in 2002, Washington Leung, a former employee in the Human Resources Department at insurance brokerage and consulting giant, Marsh Inc., was sentenced to 18 months in prison for illegally accessing and deleting hundreds of computer records. Mr. Leung was convicted of selling sensitive employee data and harassing certain employees in retaliation for Marsh, Inc. disciplining him in response to a sexual harassment complaint.
Indeed, the first reported criminal conviction for violation of the Health Insurance Portability and Accountability Act ("HIPAA") privacy rules involved a theft of protected health information by a former Seattle Cancer Care Alliance employee, Richard Gibson. Mr. Gibson used a patient's name, date of birth and Social Security number to obtain credit cards and subsequently charged $9,100 for personal items and expenses. While Mr. Gibson’s theft of protected health information resulted in his conviction under HIPAA, his actions also might have been prosecuted under various other Federal criminal statutes targeting identity theft or other cybercrimes such as 18 U.S.C. § 1028, which makes personal identity theft a felony under Federal law punishable with fines, up to 15 years imprisonment, or both. Health care entities may face vicarious liability for crimes committed by their employees and agents. Accordingly, payers and providers should take appropriate steps to prevent and detect identity theft and other cybercrime by their employees and business partners. Documenting such preventative measures will be useful in defending against such security breaches.
Health care entities must also defend themselves and their data against identity theft scams by outsiders. Sensitive data possessed by health industry payers and providers make them attractive identity theft targets for creative cybercriminals. In January 2005, for example, Trailblazer Health, a Medicare intermediary/carrier, posted a notice warning health care providers about an identity theft scam involving a caller posing as a Medicare Fraud Investigator or Medicare employee. The scam artists asks the provider to fax copies of the provider’s drivers license, Social Security Number, Provider Identification Number, medical license, medical charts or other sensitive information, claiming to need it to update the provider's record, replace information lost in a computer malfunction, or certain other plausible business reasons. Instead, the identity thieves use the information to file fraudulent claims under the provider’s identifying information with a different payment address created by the identity thieves.
While the identity thieves may make initial contact by telephone, cybercriminals claiming to be claims processors, payers, banks, government agencies or other apparently legitimate entities also may seek access to sensitive information through the use of e-mails or faxes. Growing use of on-line banking, claims submission, and other business transactions offer savvy thieves an increased opportunity to use targeted e-mail, spam, pop-up messages or other high tech “phishing” schemes to dupe recipients into disclosing protected health information, credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. In phishing scams, thieves use e-mail or other electronic communications that appear to come from a business known to the recipient such as a bank, Internet service provider ("ISP"), claims processor, online payment service, or even a government agency to trick recipients into divulging sensitive information. The message usually states that the recipient needs to provide the requested sensitive information to “update” or “validate” account information or for other plausible business reasons. Instead, the provider is directed to respond to a website that looks like a legitimate organization’s site, but actually is a site established by the cybercriminal for purposes of the cybercrime scam.Many health care providers, health plans and health care clearinghouses assume their implementation of additional data safeguards in response to the HIPAA Security Standards on April 20, 2005 adequately protect them against personal identity theft and other cybercrime exposures. While most health industry payers and providers recognize and have devoted significant resources to strengthening protections for electronic protected health information in response to HIPAA, various recent studies suggest that many covered entities have yet to fully implement the safeguards necessary to comply with HIPAA. Furthermore, these HIPAA initiatives typically segregate protected health information from other information and focus added safeguards only on the protected health information and related systems. Covered entities and other industry players often have devoted less consideration to other information and data and are less familiar with the potential responsibilities and exposures under other federal and state laws targeting identity theft and cybercrime. As a result, many payers and providers remain exposed to significant personal identity theft and other cybercrime risks. To guard against these security breaches, payers and providers should investigate their exposure to identity theft and cybercrime, evaluate the adequacy of their existing protections, and remain diligent in their efforts to reduce their exposure to these crimes.
For helpful tips and other information to help your organization guard against and respond to identity theft and other cybercrime, see the Computer Sentinel website at http://www.consumer.gov/sentinel, the FTC website at http://www.consumer.gov/idtheft/idt_laws.html, the Secret Service website at http://www.secretservice.gov; the Department of Justice website at http://www.usdoj.gov/criminal/fraud/idtheft.html, the U.S. Postal Service website at http://www.usps.com/postalinspectors/idthft_ncpw.htm, or http://www.phishinginfo.org.