American Medical News
By — Posted Sept. 2, 2013
Practices that have experienced a breach, whether it was the fault of someone inside the practice or the result of a more sinister act such as cyber crime, have an obligation to mitigate the damages that can be caused from data falling into the wrong hands. And identity theft professionals say the damage control needs to apply to all victims, not just those with a credit history.
Identity theft affecting children younger than 5 doubled from 2011 to 2012, according to a 2012 report by AllClear ID, an identity protection technology firm. Children are 35 times more likely to have their identities stolen than an adult, according to the report. Yet crimes against them often go undetected for several years as the damage to their credit builds. Being aware of these risks can help physicians protect their young patients in the event of a data breach.
Children, as well as adults with thin or no credit history, are targeted because they are “a clean slate for an identity thief,” said Michael Bruemmer, vice president of Experian Data Breach Resolution. “There’s no consumer … who will be immune to the impact of a data breach. Both minors as well as adults with no credit files are susceptible, because it’s more difficult to detect that fraud versus someone who has a credit file.”
The answer to the question of how someone can get a credit card in, say, a 2-year-old’s name, is easy, says Robert Siciliano, an identity theft expert with BestIDTheftCompanys.com. On the credit applications, the birth dates are altered to make the child appear older, he said. “A 2-year-old may be listed as a 22-year-old,” he said. Creditors often fail to verify an applicant’s age and simply accept a credit application at face value.
Tom DeSot, chief information officer of Digital Defense, a cyber attack risk assessment firm, said that by initially establishing a small amount of credit, “it makes it much easier for [thieves] to gain additional credit in a more traditional fashion, and they then build it up over time. That’s how they get larger and larger amounts.”
Because of the lack of credit history before a breach, people don’t think about children becoming victims of credit fraud, but they should, DeSot said.
“People only think of credit monitoring when it comes to an adult,” he said. “But in this day and age, where it is so trivial with a computer to obtain credit online without ever having to walk in to a bank branch and face anyone eye-to-eye … they should be safeguarding all of their patients and not just a select group.”
By law, physicians must send notification out to all those affected when a breach of 500 or more records occurs. Physicians can start addressing the needs of the underage victims through these notification channels, said Jeremy Miller, director at Kroll, a security response and mitigation firm.
An assessment should be made to determine all who could be potentially affected by the breach. If it is determined there were both minors and adults, messages specific to those two groups should be created, Miller said. How the messages differ will be in the breach response services. For adults, standard credit monitoring and fraud alerts are typically offered. But “you can’t place fraud alert on a credit report if there isn’t one,” Miller said.
For children, monitoring to see if credit is established is a good idea. Also, some breach response packages from identity protection firms include Internet scanning to see if the minor’s identification is being sold illegally.
Whomever the practice chooses to provide the protection services, they should have products that cover children, adults and those in-between, Bruemmer said. Adults with an established credit history can benefit from normal fraud monitoring coverage while children could be placed on a credit freeze. But victims who are at or near 18 and have not yet established credit, but likely will within a couple of years, need a product that is a hybrid of the adult and child-centric products, he said.
Some of the products are sold in a package that covers the entire family, or they are sold as an add-on to an adult monitoring package, Miller said.
In addition to gaining credit, identity thieves sell identities that can be used by others to receive medical services. “Without a credit history, you may not get a mortgage, but you can get coverage in a medical institution,” Bruemmer said.
There are often stories of worst-case scenarios that emphasize the dangers of medical identity theft. Although these cases are rare, they could result in deadly consequences. A real case Bruemmer often shares is one in which a child who is allergic to penicillin had his identity stolen. The child using the stolen identification received penicillin, and that was entered into the medical record. When the real child went in for treatment later, the doctor saw on his record that he had received penicillin and was about to give him a dose when a double-check of the boy’s record revealed the discrepancy.
Physician practices should be diligent about looking for these types of discrepancies in a medical record, such as differing blood types or procedures that don’t make sense. A practice that has had a recent breach should be especially vigilant, Miller said. As part of the postbreach notification process, physician practices should encourage parents to pay attention to their explanation of benefits to look for treatments they didn’t receive or visits to doctors they don’t know. Parents also should be familiar with their child’s medical history and know the names of specific diagnosis and their child’s blood type.
DeSot said many practices let basic security measures slip that put both digital and nondigital information at risk. Basic security measures often overlooked are: having locked bins to store paper that needs shredding, locking file cabinets, not having strong passwords for the computer, not installing anti-virus software, and not logging out of computer systems. The case of the boy who was allergic to penicillin was the result of a cleaning crew staff member who stole patient files that were not locked up, Bruemmer said.
Data security is something that is scalable, DeSot said. Although a small practice wouldn’t need the same security measures as a large hospital system, “they should have a general plan in place for how they’re going to protect data. Not only when it’s being stored or transmitted in an electronic fashion, but any of the paper records they are keeping as well,” he said. “I don’t know how many doctors offices I have gone into … where I see patient records all over the place and they’re not even necessarily in use.”