By: Lynn A. Toops, Attorney
It’s an unfortunate circumstance that we need to have a discussion about medical identity theft. Media reports about computer hackers and data breaches are on the rise and millions of unsuspecting consumers are finding themselves as victims of identity theft and dealing with the resulting hassle.
Consumer data breaches on the rise
Earlier this year, Forbes Magazine reported on 20 of the major consumer data breaches of 2014. Most of these breaches involved consumer credit and debit card information. Businesses including Neiman Marcus, Target Stores, Michael’s Craft Stores, and many others announced data breaches that exposed to cyber thieves sensitive customer information that often included names, payment card information, and in some cases, addresses and email addresses. Hackers sell this stolen information to others who use it to obtain fraudulent credit accounts.
Medical account information is targeted by hackers
Some of these data breaches involved a few thousand people and others involved tens of millions of people. Healthcare insurer, Anthem, reported in February 2015 that it was the subject of a massive data breach that involved more than 80 million past and current customers. Anthem announced that customer names, birthdates, addresses, and social security numbers had been accessed in the data breach. This particular data breach was different than others in that it wasn’t a payment data base that was hacked, it was a data base that contained information about medical insurance customers and their dependents. Anthem claims that thieves did not access protected health information. Cohen & Malad, LLP was the first firm to file a class action lawsuit against Anthem on behalf of all Anthem customers whose personal information was compromised as a result of this data breach.
Electronic health record company, Medical Informatics Engineering, Inc., reported in July 2015 that it was the subject of a data breach that involved medical health records of nearly 4 million individuals. The information obtained by the hackers included name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, and Social Security number. Worse yet, the hackers also obtained the following medical information: lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. Cohen & Malad, LLP was the first firm to file a class action lawsuit on behalf of all victims of the MIE data breach.
Law enforcement officials estimate personal medical information is worth seven to eight times more to criminals as personal information such as names, birthdates, and credit card information.
Earlier this month, the Wall Street Journal reported about cyber thieves using stolen medical insurance information to get health care services, prescriptions, and medical equipment. The reporter shared the story of a woman who spent hours of her personal time trying to fix fraudulent medical service charges after her son’s medical information was stolen.
Financial impact of medical fraud
Victims of medical identity theft can suffer serious financial losses. A survey conducted by the Ponemon Institute found 65% of medical identity theft victims spent an average of $13,500 to restore credit, pay fraudulent claims, and correct inaccuracies in their health records. In addition to these losses, consumers face the possibility of increased medical premiums as health care insurers may raise their costs to cover financial losses as well.
Consumer protection against medical identity fraud
Consumers have the right to privacy of their personal and medical information. When a data breach occurs and thieves gain access to sensitive information not only is their trust in the service provider damaged, their livelihood could also be at risk. In the aftermath of the MIE data breach customers were offered 24 months of credit monitoring and identity protection services. However, the impact of this theft will span far longer than 24 months. Personal and health information cannot be cancelled and reissued like a credit card. Instead, victims will need to regularly monitor their health records, bank statements, financial records, and credit reports to identify fraudulent activity and take action.
Class action lawsuits have been filed against companies like Anthem, Target, and now MIE who promised privacy and protection of sensitive client information and failed. These lawsuits seek to provide consumers compensation for their damages while also highlighting the importance of cyber security for all businesses who store information online.