Feature Article
Mark Pribish
Medical Identity Theft - A Hackers New Best Friend
By Mark Pribish
Vice President and ID Theft Practice Leader

According to a new research report from accounting firm PricewaterhouseCoopers (PwC) (see article here), "medical identify theft is the fastest-growing form of identity theft, affecting 1.42 million Americans in 2010 and costing more than $28 billion."

The PwC report also stated that "the single most commonly reported breach in the security of patients' private health information was improper use of patient data by a person who works for a doctor's office, hospital, insurance company, or life sciences organization."

That said, I have written extensively over the last four years on how most data breach events and victims of ID Theft are related directly to the insider threat – where current and former employees, customers, and vendors with insider knowledge present a constant threat to the information security and governance practices of most businesses.

So what does this mean and why should this be important to you and your family members?

It means that identity theft is more than a financial event specific to your credit/debit card, checking/savings account, or auto, home or personal loan. It means that your medical and health insurance information has become as profitable as your financial information.

Medical identity theft should be important to you for two reasons:

First, the financial impact of someone fraudulently using your health insurance information to obtain medical services with you being held responsible for those fraudulent medical bills and second; the risk of the ID Theft criminal's health and medical information being mixed with your medical file can lead to unintended consequences including allergic reactions and even accidental death.

But it gets worse. According to a September 26, 2011 Wall Street Journal article, a company's biggest security risk is you [and me] – where employees do not intend to be the primary entry point for hackers, but we are (see the article here).

The WSJ article states that: "these days, criminals aren't just hacking networks. They're hacking us, the employees" – where hackers gain access to organizations networks by exploiting well-intentioned employees through Social Engineering.

Employees have become a gap in information security because of the use of personal email (e.g. when an employee sends a work email to their personal email to do work at home and vice versa) as well as through social media (e.g. LinkedIn) where employees provide a significant amount of detailed information on their employer and their job responsibilities.

Rogue employees with entitlement issues (e.g. you owe me, or I will get you back) can cause even more damage and are another gap in information security after a company layoff or an internal conflict with another employee.

So with all of the recent medical identity theft, hacking and social engineering that has taken place, is there anything else to worry about regarding our medical information?

Based on the fact that Stanford University Medical Center accidentally released the electronic medical records of 20,000 Stanford Hospital emergency room patients (see the article here), I would say the answer is a resounding yes.

Why because of the insider threat – where the Stanford breach was caused by a vendor's subcontractor and the challenges in information security when so many third parties are touching our medical information.

To conclude, it is not a question of "if", but "when" our Personally Identifiable Information (PII) will be lost or stolen.

Based on the above, you may want to consider being proactive in understanding where your family PII is and how is it being protected including your employer, financial institution, schools, home and auto insurance company, family doctor, family dentist, tax preparer, and any other service provider that has your information.

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


Scam Central

Smile! You're on Traffic Cam Scam!

Most of us have seen a traffic camera at some point. They are commonly found at intersections to catch red light runners, on freeways to catch speeders, and at times found in vans on the side of the road. After becoming aware of their locations, typically one learns to either slow down, or not run lights, which in itself is good advice! What is amazing is the number of people that either do not seem to see the cameras or vans, or do not seem to care about them and proceed to speed or run red lights as usual.

Most of us go out of our way to avoid law enforcement interaction, imagine your surprise when you receive a phone call from someone identifying his or herself as a police officer telling you that you have an overdue fine for running a red light or speeding. The officer continues to inform you that if you do not pay this fine immediately they will issue a warrant for your arrest. You were so careful while driving - how could this happen? You never received a summons or a photo radar ticket in the mail with the fine? Hold the phone, this is a scam!

How It Works:

It starts with a random phone call made by a scammer. They will tell you that you have not paid the fine for the red light you ran on a specific date and that unless you pay right then, over the phone with a credit card, you may face court or jail time. The caller seems to be a legitimate law enforcement agent and they may even provide a phony identification number to try to distract you. Aside from gathering credit card information, they may try to gather your Social Security number as well.

Your Defense:

Always verify the source of the caller. Currently no law enforcement agencies use the telephone to collect on overdue fines or tickets. Get the identification of the caller and call the agency in question directly to verify the individual and the status of your alleged fine. Also, use common sense. Did you even run a red light? Do not be afraid to question the details of the alleged ticket.

Law enforcement agencies have other ways of informing you if you have overdue fines. The most usual way is through mail. If you have been photographed running a red light, the agency will have your vehicle's license plate number and they can get the address registered for that vehicle with little effort as well as your name. If you fail to appear for court or pay a fine, you will receive further notices and a process server may come to your house with your fine in tow. You will not however receive a phone call from a police agency for an overdue fine. They simply do not have the time for that.

Be alert for these types of deceptive phone calls. Never give out your personal or credit card information to anyone calling your home that you cannot verify, even if they claim to be a law enforcement officer. If you did not initiate the call or have previous interaction with the caller, keep that information to yourself. The police do not need your Social Security Number - they are the police. Any information they need about you, they already have.

If you believe your identity has been stolen, call 866.SMART68 today.