Most people closely guard their personal banking information both on and offline. Everyone knows it’s a bad thing for other people to have your social security number or account number, particularly if it can be combined with other information. But many forget about another type of information that can be as damaging on the wrong hands; medical records.
A full medical record is a treasure trove for identify thieves because it contains every piece of information they could dream of acquiring. Worse, these records are often easy to acquire because people forget to properly protect them. Here’s what you need to know about the forms you sign at the doctor’s office and what you can do to protect that data.
Why Medical Records?
Many people are confused when they hear medical records are targeted by identify thieves. Why would a thief want to know you had knee surgery or are on medication of pneumonia? What’s forgotten is that these records include all of your personal information. Name, address, date of birth, social security number (or equivalent) and more. Some up the ante by with billing information and previous address information.
In short, your medical records contain everything an identity thief might need to impersonate you. There are few sources of data more complete, and most are more difficult to obtain because of public perception surrounding what’s important to protect. If the customers of a bank were to learn a breach leaked all of their data they’d be very concerned, perhaps even outraged. Yet patients of a medical office or hospital who learn their medical records have leaked are rarely as worried.
Medical records are also relatively easy to obtain. There are many doctors, hospitals and insurance companies around the world, and they’re often not huge corporations with tens of millions to spend on IT. Hacking into a hospital, family practice or small insurance company is easier than going after JPMorgan Chase, Citigroup or Deutsche Bank.
Worse, the consumer protections that extends to credit and debit fraud don’t extend to medical fraud. This means victims could be on the hook for for health care services they didn’t receive. The lack of consumer protection translates to a relative lack of scrutiny from those accepting billing information and can make this fraud easier to pull off.
A Friend Can Be Worse Than A Hacker
Not all medical ID theft occurs through malicious attacks over the Internet, however. A survey conducted by the Ponemon Institute in 2013 found the majority off medical ID theft victims were attacked not by a hacker halfway across the globe but by a personal relation. In 30% of all cases the information was shared willingly with a party the victim thought trustworthy and in 28% of all cases the record was accessed by a friend or relative without consent.
This goes to show that what many people call “hacking” isn’t hacking at all, but instead a simple scam. Some of the victims gave their information out willingly or were tricked into it. Others left their information exposed at home or on a personal computer where it was later grabbed by someone else with access to the PC. It’s old-fashioned thievery with a modern twist.
In fact, the Ponemon Institute found only 15% of all medical ID theft could be blamed on hacking or a similar attack, such as phishing. You’re four times more likely to have your records stolen by someone you know than by a hacker.
Stepping Up Your Protection
While the prevalence of medical record theft may make paranoia seem justified, there’s some good news hidden in the bad. Most records are stolen through means you personally can prevent. The question you should ask yourself is this: do you know where your records are located and how they can be accessed?
Many people who obtain them end up throwing them in a box (if they’re physical forms) or in a generic folder (if they’re digital). That’s a bad choice. Physical records should be kept hidden or, preferably, in a fireproof safe. Digital data, meanwhile, should be protected by an extra layer of security. Check out our latest article on file encryption to learn why and how you can protect files on your PC.
You should also do a quick self-audit of any online accounts you have with medical providers. I recommend making a list of them, then visiting each to remind yourself of the information accessible through them and how they work. Also make sure each is protected by a strong, unique password. Two-factor security usually isn’t available, so a good password is your main defense. Some providers offer email alerts that will inform you when your account is accessed; turn that setting on, if available.
A few large medical providers have smartphone apps that can be used to access medical records. These are generally designed so that only partial records are available, making identity theft unlikely through the app alone. However, it may be possible to request full records using the app, or to impersonate you using information found in the app. Keep a lock on your phone to prevent easy access to this information.
Looking For Leaks
The 15% of records stolen from “real” hacking is a slim portion, but it still translates to hundreds of thousands of cases. Aside from avoiding phishing attacks there’s not a lot you can do to pro-actively combat the problem, but you can keep an eye out for leaks that contain your information by setting up an alert with DataLossDB.org. This website serves as a catch-all list for data breaches of large and small. Only the most serious breaches make the evening news, so you can’t rely it to keep you informed.
Credit monitoring services can help, as well. Monitoring your credit will keep you informed of any new attempts to open credit in your name, which will catch most attempts of fraud. On the downside, these services charge a monthly fee. They’re also not guaranteed to stop fraud in its tracks; they just allow you to respond, which can reduce or eliminate the problem if you act on the information when you receive it.
Readers who are very diligent, or have reason to think they’d be targeted, can further protect themselves with a fraud alert. This is a notification you file with a major credit bureau like Equifax, TransUnion and Experian. In the United States this will prevent new credit accounts or requests from being opened in your name unless they’re verified by you first. The alert lasts for 90 days and can be filed for free. You can renew the alert every 90 days. International readers should note the particulars of this will vary from country to country.
Don’t Be Defenseless Against Medical ID Theft
Medical ID theft can be harrowing experience, but you’re not entirely defenseless. Most fraud is simple theft by people who have access to your data, so closing off that access can drastically reduce your risk. Keeping a look out for data breaches and signing up for credit monitoring will also improve your protection. As with all things security, there’s no perfect solution, but a few proactive steps make it less likely you’ll be a victim.
Image Credits: Medical chart Via Shutterstock, Thief Via Shutterstock, Shutterstock/KPG_Payless, Shutterstock/wavebreakmedia, Shutterstock/Danomyte, Shutterstock/Monkey Business Images, Shutterstock/aodaodaodaod