- About PS&F
- Industry Focus
- Education & Events
July 10, 2013
The ambulance tires crackled on broken glass, well before reaching the mangled car. The victim, an unconscious woman in her mid-twenties, was bleeding profusely. It was apparent that she would need immediate surgery upon arrival to the hospital. During transit, EMTs relayed information which allowed hospital staff to identify the victim as having visited the same hospital as a new patient six weeks prior, for an injury resulting in the partial loss of a finger on her left hand. When she arrived, staff quickly prepped her, and rushed her into surgery. Moments before the surgeon began work, an alert nurse noticed something odd. This woman had all of her fingers. They reacted quickly, kept her alive while they retested her blood type, and were able to save her.
Upon investigation, the hospital found a cyber breach in one of their satellite clinics had gone undetected for 3 months. The victim, a patient at the clinic, had not yet received anything in the mail regarding billing or insurance from the fraudulent hospital visit. The investigation also revealed a hacker had stolen the identities of hundreds of patients from the clinic and sold a series of false insurance cards to various people.
This is an example of a patient who could have had a significant adverse outcome because of medical identity theft. Medical identity theft involves the fraudulent use of another individual’s identifying information to procure medical services. This breach exposed the hospital to lawsuits, affected their reputation in the community, and left them open to higher scrutiny by regulators. On top of that, the insurance company that paid the fraudulent medical claims was seeking a refund of thousands of dollars.
The hospital had better-than-adequate cybersecurity, so no one thought they could be the target of a data breach. Could this medical identity theft incident have been detected earlier?
Patterns of Use
Hackers are actually close to the bottom of the list of suspects of medical identity theft. The most common perpetrators are employees and relatives or friends of the patient. All of these people have easy access to the confidential information needed to fraudulently secure medical care. Yet, many healthcare providers only detect medical identity theft when the fraud victim informs them of billing issues weeks or months after the fraudulent care has been given. This inefficient detection system creates exposure to catastrophic consequences, like the example above.
Early Detection of Medical Identity Theft
It is virtually impossible for a healthcare provider to adequately keep up with the ever-evolving tactics used by criminals. By establishing solid detection procedures, discovery of fraud is faster, the number of victims affected decreases, and the chances of catching the perpetrator increases. Contact PS&F’s Healthcare Practice Group for help to identify exposures and to work with you to create detection and prevention solutions.