To thwart ID theft, keep an eye on employees


Medical identity theft is increasing due to HIPAA violations by rogue employees, according to an article in Data Breach Today, because many companies either don't know what their people are up to or aren't using tools to monitor staff effectively.

Over 7 million patient records were breached last year, an increase of 138 percent from 2012, as FierceHealthIT reported.

Cases in point: Two hospital registrars reportedly accessed records of 250 patients without a business need to do so, leading to patient solicitations by medical mill healthcare providers. And a Florida emergency department employee pleaded guilty to charges of conspiracy and wrongful disclosure of identifiable information after accessing records of 763,000 patients and selling information on about 12,000 of them. The information was used to solicit legal and chiropractic services for people involved in car accidents, the article noted.

"Traditional audit tools, those that focus on rules, are not sufficient generally to catch this type of activity," security expert Mac MacMillan told Data Breach Today, "particularly if the information viewed was something the perpetrator would have access to normally."

Identity theft victims lose over $22,000 on average, according to Daily Finance. It can take over a year to dispute charges, correct medical records and repair credit damage. Further, some victims lost health insurance after criminals racked up claims expenses topping lifetime maximums.

To enhance information security in your organization, an American Bar Association Journal article recommends recognizing four types of employees who put medical information at risk:

  • The security softie, who lets family members use an employer's computer at home
  • The gadget geek, who plugs many devices into an employer's PC
  • The squatter, who uses corporate IT resources improperly
  • The saboteur, who hacks into restricted areas or purposefully infects the network

Also consider these expert-recommended prevention tactics from the ABA Journal: Train staff to maintain information security. Implement limited access and least-privilege policies. Secure information shared with third parties. Keep systems up to date and have a security assessment performed by an outside vendor.  Encrypt all data, and require employees to change passwords regularly.    

For more:
- read the Data Breach Today article
- see the ABA Journal article
- here's the Daily Finance article

Related Articles:
Partners in crime: Medical identity theft and fraudulent billing
Health industry struggling to keep up with growing ID theft problem
PHI breaches up 138% in 2013
Most health IT execs unprepared for a data breach
Health data breach count tops 800
Stolen health data increasingly sought after for commercial ventures
Health exchanges ripe for fraud, scams