With last week’s sobering news that medical identity theft is on the rise, we now face the prospect of privacy and security problems turning from annoyances into life-or-death issues.
Medical identity theft is one of those “perfect storm” scenarios, the confluence of security problems with medical records and time-tested insurance reimbursement scams. Modern fraud techniques have moved medical identity theft from being a theoretical threat into a deadly reality.
As frightening as it may be, however, the specter of “death by privacy breach” may actually provide the kind of motivation necessary for lawmakers to force the relevant industries to finally tackle two of the biggest remaining challenges in individual privacy rights: the ability to easily access and correct our private data files.
The Right to Know
|Friday Job Watch: High Paying Security Jobs
Vista Exploit Looking For Achilles’ Heel
TSpam Bust: The Lessons of Yesmail
Pirated Vista, Office 2007 Already on The ‘Net
Ever since the Organization for Economic Cooperation and Development issued guidance on Fair Information Practices in the 1980s, those principles have included the right for individuals to know what information is being kept about them and to challenge the accuracy of that data.
These principles of access and redress are core tenets of many privacy-related laws. For example, the Fair Credit Reporting Act (FCRA) allows consumers to access and correct their credit records.
Unfortunately, the credit bureaus have an abysmal record of compliance and the U.S. Federal Trade Commission (FTC) — the federal agency in charge of enforcing the FCRA — has spent much of the last several decades suing the credit bureaus over basic issues of consumer access and data accuracy.
In the world of medical privacy, the Health Insurance Portability and Accountability Act (HIPAA) gives patients the right to access their medical records, and provides some ability for patients to correct (or at least contest) some of the information found therein.
But unlike credit records, many people aren’t used to checking up on what their doctor has been illegibly scribbling in their medical files — much less checking to see if there might be erroneous or fraudulent information in there.
Yet, those files are exactly where medical identity theft can start.
Many Forms of Fraud
Medical identity theft can take many forms, including impersonating someone in order to receive treatments or drugs, fraudulently seeking reimbursements for imaginary procedures, intercepting reimbursements for real procedures — and the scams get more imaginative from there.
The real danger to life and limb arises when fraudsters start entering false data into medical records in order to generate bogus reimbursements, get bogus prescriptions, and so forth. Then when the identity theft victim ends up in the hospital weeks, months, or years later, the bogus information can lead to improper treatments or misdiagnoses.
Until the advent of medical identity theft, the consequences of bad data in the files of companies was limited to the interaction those companies had with you.
For instance, bad information in the database of an Internet advertising company meant you got poorly targeted advertisements or unwanted email. Bad information in a credit bureau database meant having to haggle with a mortgage underwriter or paying a slightly higher interest rate.
And in this post-9/11 world, bad information in the database of some private data mining company might now mean an unpleasant encounter with a rubber-gloved hand behind a curtain at your local airport.
Unfortunately, the brilliance of those technology wizards who created the mechanisms for amassing huge databases full of everyone’s most intimate details seems to have stopped short of coming up with ways to help us reliably review and correct the files they created.
This article, in longer form, first appeared on esecurityplanet.com. Click here for the full version.