Identity Theft Prevention in Healthcare Tips

With just 1 month left in 2015, healthcare has already seen an astronomical 109 million records breached. That accounts for just a little over 78% percent of the total number of records breached in all sectors of the US economy this year. When you consider that the leading cause of breaches in healthcare this year is due to cyber-crime. In 2014, there were approximately 2.32 million victims of medical identity theft in the US. That is an increase of almost 50 percent over the previous year. Sadly, it is not always cyber-crime that leads to medical identity theft. Employees of healthcare organizations have access to thousands, if not millions of patient records every day. There have been two high profile cases in the news within just the last few months.

In June of this year, local authorities, and Montefiore Medical Center in Manhattan conducted an investigation that uncovered an identity theft ring that included an employee of the medical center. The employee was charged with identity theft, and it is believed that she sold as many as 12,000 patient records between 2012 and 2013. In July, local authorities in Jackson, Mississippi notified Merit Health Northwest Mississippi that one of their employees was potentially involved in identity theft, and was currently under investigation. It is believed that between February of 2012 and June of 2015 this employee accessed the records of at least 810 patients for the purpose of identity theft. The investigation is still ongoing.

What can you as a front line employee do to help protect patient information against loss due to theft? The first step is to understand your access to patient information, and its intended use. Employees of any medical or dental practice are bound by law to access patient information for the purpose of treatment, payment and healthcare operations only. That means you access records when you are involved in the treatment of a patient, or involved in filing claims or collecting payments. In addition to direct patient care, there are healthcare operations that may require access to patient records, such as quality assessments, employee evaluations, legal and medical reviews and employee access monitoring to ensure it is appropriate.

Next, know your environment. If you see something suspicious, or you believe someone else is using or accessing patient information inappropriately, you have an obligation to report such activity. Breaches in general have an enormous detrimental effect on the entity. Those related to insider activity are even worse, further eroding the trust of the patient-consumer. Already 68% of the population does not believe that the healthcare sector does enough to protect their information. The estimated financial cost to the organization for breached records is around $200. However, the cost of a damaged reputation is a very real concern for any business in the US, and healthcare is no exception. In the aftermath of a breach, the high cost of recovery affects not only the bottom line for an organization but the employees as well, through job loss for some and additional hiring and training for others.

Finally, report any suspicious activity from outside the organization. Have you ever been approached about patient information? Have you ever noticed someone wondering around the facility you work in that does not belong, or you don’t recognize? Social engineering is becoming a huge problem in healthcare. It is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Social engineers are pros at blending in to places they do not belong in order to attempt to gain unauthorized access to patient information. Lock unattended computers, secure mobile devices, and, if you see someone that you are not sure about, report it. It is better to be safe than sorry! 

Ask your administrator to assign you the Identity Theft Prevention course for more detailed training or if you are not a MedTrainer client email us at support@medtrainer.com for more information.