Posts Tagged ‘data breaches’
Medical Identity Fraud Alliance: A Call to Action by ITRC
The Medical Identity Fraud Alliance has recently published its first whitepaper titled, The Growing Threat of Medical Identity Fraud: A Call to Action, focusing much needed attention on the urgent issue of medical identity theft and fraud.
MIFA is the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for fighting medical identity fraud. The whitepaper defines medical identity fraud as the fraudulent use of an individual’s protected health information (PHI) and personally identifiable information (e.g., name, Social Security number) to obtain medical goods and service or to gain financial benefit. Medical identity theft is defined as the stealing of an individual’s protected health information.
The number of medical identity theft victims in the United States has increased from 1.42 million in 2010 to 1.85 million in 2012 and healthcare fraud, which almost always requires medical identity theft to commit the fraud, costs the United States at least $80 billion a year. Medical identity theft and fraud is much more complex and difficult to mitigate than the much more publicly known financial identity theft and fraud. Because criminals can monetize medical identities 20 to 50 times better than a financial identity, the value of a medical identity can be up to 50 times greater than a Social Security number alone. The high value of medical identities motivates criminals to put more effort in illegally attaining medical identities resulting in more and more cases of medical identity theft. As more and more PHI is being converted from paper health records to electronic health records (EHR) to improve information sharing and accessibility, the PHI becomes increasingly vulnerable to data breaches.
In the paper, MIFA stresses that the individual must be the first line of defense to medical identity theft and fraud. Lessons can be learned from the credit card industry and how they handled financial identity theft and fraud. They started off by sharing fraud data and developing sophisticated analytics to identify potentially fraudulent credit card transactions, but also began verifying the flagged transactions with the consumers themselves. This process inducted the consumer into the fight against fraud and helped the credit card industry crack down on fraud. The equivalent cooperation between the healthcare industry and the consumer is to send an Explanations of Benefits (EOB) about 30 days after a medical service is provided, but people rarely actually read them and when they do, they rarely understand them. Therefore, EOBs are for the most part ignored and the communication between the consumer and the healthcare industry is broken making it difficult for insurance plans to identify a fraudulent claim quickly.
MIFA believes that in order to correctly mitigate the medical identity issues facing the healthcare industry today, there needs to be a coordinated approach between key stakeholders from the healthcare industry, security, compliance and privacy companies, government, law enforcement, nonprofit organizations, and academe. MIFA was formed to bring together stakeholders from each industry and provide leadership to:
- Develop an awareness, education, and training campaign for the public and the healthcare industry.
- Inform public policy decision makers about medical identity theft and fraud and its current and evolving impact through awareness, education, and research programs.
- Establish a comprehensive applied research agenda.
- Promote and encourage innovative best practices, processes, and technology to prevent and detect medical identity theft and fraud.
Several key stakeholders, including the ITRC, founded MIFA and have already begun this process, but more stakeholders, cooperation and information sharing are needed. Visit the Medical Identity Fraud Alliance website and see how you can help!
“Medical Identity Fraud Alliance: A Call to Action” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and click here for linking back to the original posting.
HHS announces first HIPAA breach settlement involving less than 500 patients
Hospice of North Idaho settles HIPAA security case for $50,000
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.
The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.
A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, visit www.HealthIT.gov/mobiledevices.
The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf
Contact: HHS Press Office
(202) 690-6343
###
Note: All HHS press releases, fact sheets and other press materials are available at http://www.hhs.gov/news.
You can follow HHS on Twitter @HHSgov exit disclaimer icon and sign up for HHS Email Updates.
Last revised: January 2, 2013
Remember you have to have identity theft protection. A data breach can happen at any time. No matter what you do to protect yourself, your data can be exposed without your permission. Review The Identity Advocates protection services at: http://www.theidentityadvocate.com/identity-theft-protection.php
Data Breaches for the first half of 2010
Despite the law stating medical breaches involving more than 500 people must be listed on the Health and Human Services (HHS) breach list, the Identity Theft Resource Center recorded medical breaches which never made the list. Do you know why? The HHS list allows the loophole of “risk of harm” without requiring federal law enforcement verification. One state has reported more than 200 breaches. Most are not included in the Identity Theft Resource Center Breach Report because they did not include sufficient pertinent details regarding the event. Some states now harbor a protected breach list which is not made public at all, or is only accessible by exercising the Freedom of Information Act. Doesn’t this make you wonder why is it all so protected? Read the entire article from the Office of Inadequate Security
http://www.databreaches.net/?p=12436
