By now, most people are aware of the consequences that data breaches create by exposing personal information, including credit card fraud or tax fraud. However, until recently, medical identity theft, the fastest-growing identity crime in the country impacting more than 2.3 million Americans, has mostly flown under the radar.

In February of 2015, Anthem, the nation's second-largest health insurer, announced that its systems had been the target of a sophisticated external cyber attack. This attack was one of the largest data breaches in U.S. history. Since the breach involved health insurance information as well as Social Security numbers, the affected individuals are at true risk of medical identity theft.

Medical identity theft can put a consumer's life or health at risk. Fraudulent activity can happen in several ways. The two most common include an individual posing as someone else in order to secure medical goods, prescriptions or services; or an individual billing someone else's insurance, Medicare or Medicaid without their knowledge. The affected person does not realize fraudulent activity has occurred. Electronic health records could be fraudulently changed, meaning anything from incorrect allergies to preexisting conditions. This could lead to a future misdiagnosis or inappropriate medical treatment.

Health Care Providers Face Threats

Health care providers without effective security measures should take note: 48 percent of consumers said they would consider changing health care providers if their medical records were lost or stolen, according to the Ponemon Institute's Fifth Annual Study on Medical Identity Theft. Consumers expect health care providers to be proactive in preventing and detecting medical identity theft. Forty percent say that if a breach occurs, it is important to receive immediate notification by the organization responsible for protecting their health care information.

Setting Up Your Defense

While medical identity theft is most harmful to a consumer, organizations that handle personal health information (PHI) can suffer costly legal ramifications as well as a tarnished brand if they are the source of the data breach. To be less susceptible to these and other liabilities, cyberattack prevention and cyber insurance plans should be in place. While there are several components that make up an effective cybersecurity strategy, the following can be the key lines of defense against an attack or when facing ramifications:

  • Encryption — Data at rest and data in motion should be encrypted to at least the levels recommended by HIPAA legislation, minimizing the risk that data is compromised.
  • Data leak prevention (DLP) — Also known as data loss prevention, DLP is a data security technology that monitors data in use, in motion and at rest in order to detect potential data breaches in a timely manner and prevent them. A DLP system configured properly handles careless data leaks by internal sources as well as intentional data theft by external hackers or malware.
  • Cyber insurance — Organizations that store or transmit personally identifiable information (PII) should review the insurance options for cyber protection. A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. Cyber policies vary greatly and an independent insurance consultant can help review the best coverage option.

Several of the organizations recently impacted by data breaches reported having information security systems in place, making appropriate insurance that much more important.

To determine if you are a business associate or covered entity as defined by HIPAA, visit bswllc.com to request a copy of our HIPAA Questionniare. For more information on cybersecurity,contact Tony Munns at 314.983.1297 or amunns@bswllc.com.

To discuss your cyber insurance options, visit bswllc.com, or contact Bill Goddard at 314.983.1253 or bgoddard@bswllc.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.