Identity Theft in the Healthcare Industry

Anjana K | October 5, 2021

In addition to the various challenges faced by the healthcare industry, the pandemic has also increased the risk of cyber-security threats. Last year, various healthcare providers all over the world were targeted by a variety of complex and coordinated cyber-attacks, making the healthcare industry one of the biggest victims of identity theft.


Targeting the Healthcare Industry

Medical records are valued at 20 to 50 times more than financial identities on the black market.

DOBs, addresses, emergency contacts, family members’ details, and insurance plans are just some of the data that can comprise an individual’s medical file. Medical identity theft is when a person illegally uses another person’s protected health information to commit fraud, such as getting prescription drugs, submitting insurance claims, charging someone else for medical expenses, etc. This is one of the most expanding criminal activities, with over half a million cases reported across the world.

Industry professionals believe that medical identity theft will proceed to skyrocket in the post-COVID era because healthcare organizations tend to invest inadequately in IT security. In fact, healthcare is the only industry where insiders are a greater threat than external ones — internal employees caused 56% of the breaches, while external caused only 44%. For instance, providers may file fraudulent claims on an individual’s insurance to get reimbursement for procedures they never performed. They’ll do that to offset the value of treating uninsured clients.

Apart from financial losses, victims of healthcare identity theft may face graver issues like incorrect diagnosis of illnesses due to absence of correct information or refusal of treatment due to restricted access to medical benefits.

“Organizations are far too reliant on firewalls and encryption, neither of which can stop modern-day cyberattacks,” says Tom Kellermann, Chief Cybersecurity Officer at VMware Carbon Black.

Social engineering is one of the major enablers of healthcare breaches. Phishing attacks, discarded USB drives, and direct social fabrication help hackers breach a healthcare provider’s records.

Consumer complaint data suggests that medical identity theft is at different rates in different regions in the US, creating hotspots. In 2013, the healthcare sector accounted for 43% of all identity theft cases in the US. Around March 2017, Indiana’s Medicaid unit discovered that nearly 1.1 million patients’ information had been publicly exposed through a hyperlink since February. The report contained patient data including name, Medicaid ID number, name, and address of doctors treating patients, procedure codes, dates of services, and the amount Medicaid paid doctors or providers.


Preventing Medical Identity Theft

The first step is to seek out where it started. Any new websites, response links that come attached with an unusual/unsolicited email, or any registration on e-commerce sites with improper security features can lead to such theft.

Healthcare providers require software patching and vulnerability assessments as a part of the business lifecycle. The best protection against either external or internal theft is constant monitoring through the deployment of honeypots and other security practices. Portable storage devices should be carefully regulated. The management of employees with access to patient data also needs monitoring with the access granting based on the responsibilities of the employee at the workplace.

People should keep their medical information safe and watch their credit reports for unpaid medical bills that enter the records. People who execute medical identity theft usually do so to obtain compensation from an insurance company or others for services they did not provide. To detect this type of fraud, consumers should carefully check through any explanations of the benefit payments they receive from their insurers. The insurance provider should be contacted immediately if the person gets a statement for a procedure they did not receive.

HIPAA – Health Insurance Portability and Accountability Act

The protection of healthcare information starts with educating professionals who handle patients’ private data on the greater measures to safeguard patients’ details. The covered entities must implement reasonable safeguards to limit incidents, and avoid revelation of PHI, including the disposal of such information. It also gives people the right to copies of their records maintained by covered health plans and medical providers. Patients may request copies of their medical and billing records to help determine the implications of the theft and to examine their records for inaccuracies before requesting further medical attention. There’s no central source for medical records, so patients have to contact each provider they are doing business with – including doctors, clinics, hospitals, pharmacies, laboratories, and health plans.

Overall, it is said that the weakest link in cyber security is the human factor. Threats in healthcare will continue to evolve in the future. To stay one step ahead of these threats, we must increase our awareness about what is happening and share more information about what is going on with our family and colleagues. Healthcare organizations should continue to support cybersecurity professionals as they help to safeguard patient records. There is no better time than the present to improve our cybersecurity defences.


About the Author –


Anjana K

Anjana is part of the security practice. Her interests include mobile application hacking and practices web application penetration testing.

Back to blogs