The data security threat from malicious outsiders is severe, but a recent breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights indicates some of those malicious outsiders have become malicious insiders, at least in New Jersey, where a worrying new healthcare fraud risk has been uncovered.
Fake Doctors: A New Healthcare Fraud Risk that Must be Monitored and Addressed
Horizon Healthcare Services, doing business as Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ), has started notifying 1,173 plan members that a number of physicians have gained access to their Protected Health Information with the intent of defrauding them. It is unusual for physicians to inappropriately access patient data; however, in this case the data theft was not caused by real physicians. A number of criminals posed as doctors with the sole intention of gaining access to patient data to commit medical insurance fraud.
On July 30, 2015, Horizon BCBSNJ’s Special Investigations Unit discovered that “several perpetrators falsely established themselves as doctors or other health care professionals” in order to gain access to patient data. It is not clear how the criminals were discovered from the breach notice published on the Horizon website, nor how long they had been able to access medical files, but during the time that access was possible they managed to obtain member ID numbers of Horizon BCBSNJ members, in addition to names, dates of birth and gender: Personal information which is typically only accessible by physicians and healthcare workers.
Not only was that data accessed, in a number of cases the information was used to submit false insurance claims to Horizon BCBSNJ, claiming for medical services which had not been provided by the physicians. An investigation into the fraud has been launched and both the U.S. Attorney’s Office and the FBI are following up. In this case it would appear that plan members are not at risk of identity theft, even though some of their personal information is now in the hands of criminals.
Horizon BCBSNJ has contacted all individuals whose information has been used fraudulently, and others whose data is believed to have been exposed have been contacted by mail. It may not be possible to prevent fraudulent use of data, but it is essential to monitor for fraudulent activity. Health Plan members should make sure they obtain and carefully check Explanation of Benefits statements for any sign of suspicious activity. Healthcare fraud risk can be managed. The sooner fraud is discovered, the easier it will be to limit the damage caused.