Bob Gregg is CEO of Oregon-based ID Experts, which helps companies and consumers recover from data breaches and identity fraud.
The massive data breach at Anthem, the second-largest U.S. health insurer, has illustrated perfectly the risks consumers are facing with the wide distribution of their medical information and just how poorly understood those risks actually are.
Even many of the “experts” who populate the media in the aftermath of an event like this are focused on the wrong threats and the wrong cures.
Empire Blue Cross, which is a licensee of Anthem, has 109,000 members in the Capital Region that may have been a part of this breach. For the ones who are affected, Empire says it will be providing “credit monitoring and identity protection services.”
Unfortunately, these are the same financial industry services that don’t go beyond financial accounts to provide visibility into a consumer’s actual healthcare transactions and medical identity.
In the eyes of most people, data breaches are differentiated only by size. The more records exposed, the greater the risk to consumers. This quantitative distinction ignores the crucial point that the kind of information that’s released matters as much — if not more — than the amount.
Virtually all data breaches put consumers at risk for some version of identity theft, which can lead to bank account fraud, credit card fraud, tax fraud and other financial impacts. But only breaches involving medical information can truly put your life or health at risk.
Most coverage of the Anthem breach provides conventional advice. It’s the same treadmill of "check your bank statements, check your credit cards, change your password, order your credit report, etc. " That is all good advice, but it completely ignores the risks of medical identity theft and fraud.
In the Anthem breach, the compromised data included both health insurance identifies and Social Security numbers, which means the major risk is medical identity theft.
This can happen a number of different ways, but the two most common are: 1) someone uses your medical identity to obtain medical goods, services and prescriptions pretending to be you, or 2) a devious individual (often involved in organized crime) uses your medical identity to bill your insurance, Medicare or Medicaid, for all kinds of medical goods, services and prescriptions without your knowledge.
The huge problem here is everything that is done by the fraudulent person goes on your personal medical record as if you did it.
The next time you go to a doctor or emergency room, they will pull up your electronic health record and most of the things on there are not you. Your pre-existing conditions, your allergies, your drug interactions, possibly even your blood type, may be wrong or conflicting.
In the future, that could lead to a misdiagnosis based on a condition you don’t have, a prescription mistake with a medication to which you’re allergic, and other dangerous or inappropriate medical treatment. It is not an exaggeration to say that medical identity fraud can literally kill you.
Medical identity theft is now the fastest-growing identity crime in the country, affecting over 1.8 million Americans. If there’s any good news in this latest attack, it’s that now finally consumers and the industry might be waking up to the real risks and the need to fight back.