Cybercrime and Identity Theft: Health Information Security Beyond HIPAA
by Cynthia M. Stamer, P.C. , Member, Glast, Phillips & Murray, P.C., Dallas, TX

Recent reports of widespread identity theft and other “cybercrime” woes of Choicepoint, LexisNexis, and Bank of America, highlight the need for managed care and other health industry payers and providers to minimize their exposure to personal identity theft and other cybercrime scams by employees, business partners and others. The practice of incurring charges or committing crimes in someone else's name (“identity theft”) and committing crimes using a computer (“cybercrime”) have reached epidemic proportions in recent years.  Potential inadequacies in the identity theft and other cybercrime safeguards of payers and providers are particularly problematic in light of the growth in personal identity theft and cybercrime statistics. According to the Federal Trade Commission ( “ FTC ” ), identity theft losses exceeded $47.6 billion in 2003 . In 2004, FTC identity theft complaints rose 15% to 247,000 complaints, including health care fraud, insurance fraud and theft of governmental documents and benefits.

Health industry payers and providers make attractive targets for identity theft and certain other cybercriminals because they collect and maintain large volumes of protected health information as well as other sensitive personal and financial data and conduct many transactions electronically. Therefore, it is not surprising that they are targets of identity thieves and other cybercriminals.

These cybercriminals use various methods to obtain information from insurance and health industry businesses and others. These methods include:

The thieves’ creativity and approaches continually evolve, requiring individuals and organizations to constantly update their practices.

As with other business sectors of the economy, the health industry’s greatest exposure to identity theft or other cybercriminals may arise from current or former employees and business partners. Identity thieves and other cybercriminals frequently use access obtained as employees or business partners to steal personal information or perpetrate crimes. For example, in April 2002, Christopher Scott Sandusky pled guilty to three counts of Unauthorized Access to a Protected Computer in violation of 18 U.S.C. § 1030(a)(5)(A) for unlawfully accessing the computer system of Steinberg Diagnostic Medical Imaging. Mr. Sandusky committed these crimes after his employer, the imaging provider’s computer system consulting company, terminated him. Similarly, in 2002, Washington Leung, a former employee in the Human Resources Department at insurance brokerage and consulting giant, Marsh Inc., was sentenced to 18 months in prison for illegally accessing and deleting hundreds of computer records. Mr. Leung was convicted of selling sensitive employee data and harassing certain employees—which crimes he committed in retaliation having been desciplined by Marsh, Inc. in response to a sexual harassment complaint.

Indeed, the first reported criminal conviction for violation of the Health Insurance Portability and Accountability Act ( “HIPAA” ) privacy rules involved a theft of protected health information by a former Seattle Cancer Care Alliance employee, Richard Gibson. Mr. Gibson used a patient's name, date of birth and Social Security number to obtain credit cards; he subsequently charged $9,100 for personal items and expenses. While Mr. Gibson’s theft of protected health information resulted in his conviction under HIPAA, his actions also might have been prosecuted under various other Federal criminal statutes targeting identity theft or other cybercrimes such as 18 U.S.C. § 1028, which makes personal identity theft a felony under Federal law punishable with fines, up to 15 years imprisonment, or both. Health care entities may face vicarious liability for crimes committed by their employees and agents. Accordingly, payers and providers should take appropriate steps to prevent and detect identity theft and other cybercrime by their employees and business partners. Documenting such preventative measures will be useful in defending against such security breaches.

Health care entities must also defend themselves and their data against identity theft scams by outsiders. Sensitive data possessed by health industry payers and providers make them attractive identity theft targets for creative cybercriminals. In January 2005, for example, Trailblazer Health, a Medicare intermediary/carrier, posted a notice warning health care providers about an identity theft scam involving a caller posing as a Medicare Fraud Investigator or Medicare employee. The scam artists ask the provider to fax copies of the provider’s driver’s license, Social Security Number, Provider Identification Number, medical license, medical charts or other sensitive information, claiming to need it to update the provider's record, replace information lost in a computer malfunction, or certain other plausible business reasons. Instead, the identity thieves use the information to file fraudulent claims under the provider’s identifying information with a different payment address created by the identity thieves.

While the identity thieves may make initial contact by telephone, cybercriminals claiming to be claims processors, payers, banks, government agencies or other apparently legitimate entities also may seek access to sensitive information through the use of e-mails or faxes. Growing use of on-line banking, claims submission, and other business transactions offer savvy thieves an increased opportunity to use targeted e-mail, spam, pop-up messages or other high tech “phishing” schemes to dupe recipients into disclosing protected health information, credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. In phishing scams, thieves use e-mail or other electronic communications that appear to come from a business known to the recipient such as a bank, Internet service provider ("ISP"), claims processor, online payment service, or even a government agency to trick recipients into divulging sensitive information. The message usually states that the recipient needs to provide the requested sensitive information to “update” or “validate” account information or for other plausible business reasons. Instead, the provider is directed to respond to a website that looks like a legitimate organization’s site, but actually is a site established by the cybercriminal for purposes of the cybercrime scam.

Many health care providers, health plans and health care clearinghouses assume their implementation of additional data safeguards in response to the HIPAA Security Standards on April 20, 2005 adequately protect them against personal identity theft and other cybercrime exposures. While most health industry payers and providers recognize and have devoted significant resources to strengthening protections for electronic protected health information in response to HIPAA, various recent studies suggest that many covered entities have yet to fully implement the safeguards necessary to comply with HIPAA. Furthermore, these HIPAA initiatives typically segregate protected health information from other information and focus added safeguards only on the protected health information and related systems. Covered entities and other industry players often have devoted less consideration to other information and data and are less familiar with the potential responsibilities and exposures under other federal and state laws targeting identity theft and cybercrime. As a result, many payers and providers remain exposed to significant personal identity theft and other cybercrime risks. To guard against these security breaches, payers and providers should investigate their exposure to identity theft and cybercrime, evaluate the adequacy of their existing protections, and remain diligent in their efforts to reduce their exposure to these crimes.

For helpful tips and other information to help your organization guard against and respond to identity theft and other cybercrime, see the Computer Sentinel website at http://www.consumer.gov/sentinel,
the FTC website at http://www.consumer.gov/idtheft/idt_laws.html,
the Secret Service website at http://www.secretservice.gov;
the Department of Justice website at http://www.usdoj.gov/criminal/fraud/idtheft.html,
the U.S. Postal Service website at http://www.usps.com/postalinspectors/idthft_ncpw.htm,
or http://www.phishinginfo.org.

	Cynthia Marcotte Stamer is Vice Chair of the ABA Health Law Section Managed Care and Insurance Interest Group and Chair of the ABA Real Property, Probate and Trust Section Welfare Plan Committee.
	See, e.g., “ChoicePoint: More ID theft warnings - ID company says criminals able to obtain almost 140,000 names, addresses and other information,” CNNMoney (February 17, 2005).
	See, Grey, “310,000 Exposed by LexisNexis Data Breach,” EarthWebNews (April 12, 2005).
	See, e.g., “Bank of America Loses Tapes With Federal Workers' Data,” Washington Post at page EO1 (February 26, 2005).
	See, FTC Identity Theft Survey Report (September 2003).
	Data from Consumer Sentinel and the Identity Theft Data Clearinghouse as Reported in “National and State Trends in Fraud & Identity Theft January - December 2004,” Federal Trade Commission (February 1, 2005).
	See e.g., “New York Electronic Crimes Task Force Arrests Defendant for One of the Largest Identity Theft Cases in U.S. History,” U.S. Department of Justice Press Release (February 28, 2002) (announcing Donald Matthew McNeese was arrested and charged with identity theft, credit card fraud and money laundering charges stemming from his theft of a computer database containing personnel records for approximately 60,000 employees of the Prudential Insurance Company, using access to records obtained through his position as a Prudential data base administrator.
	See “Nevada Cybercrime Task Force Nets Hacker,” US Department of Justice Press Release (April 17, 2002).
	See, “U.S Sentences Computer Operator for Breaking into Ex-Employer's Database,” US Department of Justice Press Release (March 27, 2002).
	Section 1028 defines prohibited personal identity theft as including knowingly and unlawfully transferring or using a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law or a felony under any applicable State or local law; producing, transferring or possessing an identification document or a false identification document for certain other unlawful purposes; as well as certain other activities.
	See Federal Sentencing Guidelines § 8.
	See 45 C.F.R. § 164.318(a)(1)(establishing April 20, 2005 as deadline for compliance for most covered entities except that Compliance date 4/20/05 for most covered entities while allowing small health plans until April 20, 2006 to comply with the rule).
	See, e.g., E.g., 18 U.S.C. § 1028, regarding identity theft, 18 U.S.C. § 1029 regarding fraud and related activity in connection with access devices, 18 U.S.C. § 1030 regarding fraud and related activity in connection with computers, 18 U.S.C. § 1362 regarding communication lines, stations, or systems, 18 U.S.C. § 2510 et seq. regarding wire and electronic communications interception and interception of oral communications, 18 U.S.C. § 2701 et seq. regarding stored wire and electronic communications and transactional records access, 18 U.S.C. § 3121 et seq. regarding recording of dialing, routing, addressing, and signaling information and others.
	See http://www.ncsl.org/programs/lis/privacy/idt-statutes.htm for a helpful reference of selected state laws regulating identity theft.