Healthcare providers, health plans, and business associates of covered entities have suffered huge data breaches this year. Hackers have targeted healthcare plans in 2015 and have been successful in obtaining huge volumes of PHI. The data is used for identity theft, but what is being done about it? Are the CMS and/or OCR tracking medical identity theft? Four senators are now demanding some answers.
Sens. Lamar Alexander, R-Tenn., Orrin Hatch, R-Utah, Ron Wyden, D-Ore & Patty Murray, D-Wash., want to know what the Department of Health and Human Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) are doing to tackle the growing problem of medical identity theft.
They have recently put their names to a letter to Jocelyn Samuels and Andy Slavitt demanding answers about the efforts being made toward tracking medical identity theft, as well as what is being done to help victims recover losses.
So far this year, huge data breaches have been suffered by Anthem Inc., Premera Blue Cross, CareFirst BlueCross, UCLA Health System, and Excellus BlueCross BlueShield. Those data breaches have resulted in the Protected Health Information of over 105 million individuals being obtained by criminals. A number of smaller breaches have also been suffered by HIPAA covered entities this year, with malicious insiders also managing to obtain patient health data with the aim of committing identity theft.
Medical records carry a high value on the black market, as patient health data can be used for identity theft, medical fraud, financial fraud, and tax fraud. An estimated $98 billion is lost each year to medical identity theft and fraud, and the projected losses are $305 billion, according to a recent 5-year projection from Accenture.
According to the letter, healthcare data breaches have exposed a total of 154 million records, and 1,367 data breaches have been self-reported by HIPAA-covered entities. Those figures only include the data breaches that have exposed more than 500 records.
The senators asked nine questions on remediation, education for breach victims, and medical identity theft tracking. They want answers from the OCR and CMS about how medical identity theft tracking is coordinated between the two agencies. Whether either agency engages in medical identity theft tracking with non-HIPAA-covered entities, and if any medical identity theft tracking takes place to determine the financial impact on victims.
There are also some aspects of HIPAA that they have asked to be clarified. The senators pointed out that a number of cases have been reported in which the victims of medical fraud have not been permitted access to their own medical records, in order to protect the identity of the person who stole their data. The senators cite a Ponemon report that indicates this occurs with one in five medical identity theft victims.
An answer to the questions has been demanded by November 24, 2015.