Identity Thieves Target Medical Records

Health-record extortionists have struck again. This time around, a thief made off with prescription data from a Virginia Department of Health Professions (DHP) computer system, and the culprit didn't even make an attempt to cover his tracks.

"I have your sh--! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions," read the ransom note, which the thief left in place of the actual Virginia DHP Prescription Monitoring Program Web page at the end of April. (To see the full note, go to Wikileaks.)

The theft and subsequent extortion attempt bear striking similarities to an incident involving Express Scripts last November. Thieves broke into a system that contained both patient information and prescription records, and then sent letters threatening to reveal customer data unless ransom demands were met.

Though these thefts could very well be desperado-style moves to reap extortion profits, a digital black market for the fraudulent use of stolen health data is thriving, too. Ransom or not, there's big money in medical identity theft.

Medical identity theft, like its more mundane, purely financial cousin, is all about cashing in. According to the World Privacy Forum nonprofit advocacy group, criminals can exploit stolen medical info to make hundreds of thousands of dollars' worth of false claims against an insurer or government program. Victims may get a bill for medical services they never obtained or end up with false information in their medical records. While existing provisions of financial fraud legislation can help shield someone from having to pay the sometimes outrageous sums associated with this type of identity theft, correcting a falsified record can be difficult.

According to a 2006 Federal Trade Commission report, 3 percent of identity-theft victims surveyed said "the thief had obtained medical treatment, services, or supplies using their personal information." If that number holds true for the 8.3 million victims estimated for that year, there could be as many as 250,000 medical identity theft victims a year, the World Privacy Forum says. But the extortion demands made to the Virginia DHP site and to Express Scripts might be just what they seem, with the thieves pursuing an unlikely payout--it would take only one big ransom payment to make numerous thefts worthwhile.

If you receive a notice stating that your health records have been stolen, be on the lookout for any indications of medical identity theft. Keep in mind, too, that false information in a medical record might lead to incorrect treatment and genuine harm. According to the World Privacy Forum, one big tip-off to identity theft can be if you receive a notice of a benefits payout from your insurance company for treatment or goods you never received. The fraud might also show up in your credit report, in the form of a collection notice from a hospital for fake charges.

To read extensive information, including additional advice on how to tell whether you've been affected and how to recover, see the World Privacy Forum's medical identity theft guide.

Subscribe to the Security Watch Newsletter

Comments