Identity Theft Is a Growing Risk in Health Care: Ponemon Report

Medical identity theft is a real threat and is on the rise, according to an annual survey on health care data security by the Ponemon Institute, a company that conducts research on privacy and data in multiple industries.

Identity theft was previously considered an issue just for consumers, but now it’s becoming more of a concern in health care, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK.

“It hadn’t been on the radar, and now suddenly health care providers are paying close attention to this issue,” said Ponemon.

Of health care organizations surveyed, 52 percent reported medical identity theft. Inaccuracies in patients’ records were the cause according to 39 percent of this group, and 26 percent of this set of respondents said the identity theft affected patients’ medical care.

The identity thefts are occurring because hospitals are not asking the right questions to properly identify patients before treating them, Ponemon suggested.

“We’re just starting to see the early stage of organizations proactively attempting to manage this risk,” he said.

When medical identity theft occurs, a perpetrator might be using a patient’s health insurance information to receive care or prescriptions, said Rick Kam, president and co-founder of ID Experts, the health care data security company that sponsored the Dec. 6 report, called “Third Annual Benchmark Study on Patient Privacy & Data Security.”

“There are a lot of people that don’t have services needed for their health care so they rent and steal a health insurance number to get access to that specialized chemo treatment,” Kam told eWEEK.

Identity thieves could lead providers to make changes to a patient’s electronic health record, Kam added.

These crimes could result in doctors administering an incorrect antibiotic or a wrong blood transfusion. “Instead of being blood type B, it might be that of your perpetrator and instead of you being allergic to penicillin, your perpetrator may not be,” said Kam.

The survey by Ponemon found that 94 percent of health care organizations suffered at least one data breach within the last two years. In fact, 54 percent of health care organizations have little or no confidence that they’re prepared to detect loss or theft of patient data, according to the institute. Medical files and insurance records comprised the main types of data that were breached, according to Ponemon.

In addition, 69 percent of organizations said medical devices, such as mammography machines and insulin pumps, are unsecure and liable to leak patients’ protected health information (PHI), the report revealed.

Security of mobile devices was also a big issue for respondents, as the bring-your-own-device (BYOD) trend grows, said Ponemon. Of hospital staff interviewed, 51 percent said they can access patient records on their own devices, and 54 percent were unsure their mobile devices were secure.

In addition, the number of tablets lost or stolen doubled in the past year. In 2012, 18 percent of all devices lost are tablets compared with 7 percent in 2011, according to the report, which reflects the increased sale and availability of these highly mobile computers.

Hospitals are not investing enough in security measures to guard against breaches, said Kam. “What we’re seeing is that three out of five organizations don’t have the appropriate level of budget allocated to protect this information,” said Kam.

Health care organizations also don’t realize that breaches are a day-to-day occurrence rather than an occasional catastrophe, Kam added.

“You would think these organizations would put this more at the forefront of their priorities, and to me it’s just surprising that they haven’t,” said Kam.

“The majority are doing what they need to comply, but not going much further beyond compliance,” Ponemon added.

A glimmer of hope on health care data security appeared in a December 2012 report by the Health Information Trust Alliance (HITRUST). The total number of breaches has declined since 2009, according to HITRUST.

“The industry has improved slightly since breach reporting became mandatory in September 2009, but recent spikes make it unclear whether improvement will continue,” the report’s authors, Chris Hourihan and Bryan Cline of HITRUST, wrote.