Each year, the Identity Theft Resource Center tracks data breach activity and keeps track of the number of compromised records. For most of the last ten years, data breaches have continued to set new annual records for both the number of events and the number of records that were exposed. But while so many people focus on large-scale breaches that have affected retailers or government agencies, there’s another kind of data breach that can have far more serious—even potentially life-threatening—consequences.
Medical breaches get a lot less attention than something like a dating website breach, for example, and it’s a shame. It’s unsettling that42.5% of survey respondents only a few years ago did not even know what medical identity theft is, and yet 36.6% of this year’s data breach activity involved medical records. More than 15 million patient records were compromised in medical data breaches this year, leaving many to wonder what can happen with that level of information. In 2015, more than 110 million records were compromised in the healthcare/medical industry.
In 2006, one of the more famous medical identity theft cases occurred. Anndorie Sachs, a mother of four children ages two and up, was informed that she was being invested by child protective services. They stated she’d recently given birth to a baby who tested positive for methamphetamine. The following day, the authorities came to Sachs’ house and threatened to remove her four children from her custody.
As if that wasn’t upsetting enough, the fact that Sachs had not given birth recently and that her driver’s license had recently been stolen didn’t help her much. Sachs finally underwent a DNA test to prove she was not the baby’s mother, and while that helped clear her of criminal wrongdoing and keep her family intact, it did not absolve her from the $10,000 hospital bill for labor and delivery. Much later, the woman who’d actually stolen Sachs’ driver’s license and presented it at the time she entered the hospital was caught and accepted a plea arrangement.
When this incident occurred, receiving prescription drugs and medical care while sticking someone else with the bill was thought to be the motivation. Now, however, experts warn that there’s another reason, one that can have much broader results. Medical histories and patient records often contain every piece of the identity theft puzzle, from names and addresses to ages and birthdates. Even worse, 11.8% of the 2016 medical breaches exposed patient Social Security numbers, and records stolen in medical data breaches ranked the highest in the ITRC’s findings for “data on the move,” meaning information which was somehow lost or stolen while in transit from one location to another.With one complete stolen record, an identity thief can open new accounts in the victim’s name and use those accounts for a long time to come. If that account is flagged as fraudulent and shut down, it’s no big deal. He can just open another one thanks to the personal identifying information he’s stolen.
As upsetting as that is, it’s hardly life-threatening. So how can medical data breaches possibly result in bodily harm? If the goal was just to steal identifying records from a hospital or doctor’s office, then the patient’s physical health is probably not in danger. But if the opportunity arises to use the victim’s identity for medical care, the criminal’s medical information can be woven into the victim’s file. Blood types, medications in use, pre-existing conditions, and more can all get updated to reflect the imposter’s health, leaving the victim vulnerable to conflicts in care in an emergency situation. As a result of HIPAA regulations, the identity theft victim is not entitled to access to the thief’s patient care, so clearing up the confusion can be problematic.
Anyone who believes their personal data has been compromised is invited to connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.