Patient Medical Identities Are the Real Victims of Health Data Breaches


Despite improvements being made within cyber-security over the years, it has not solved the problem of data breaches occurring at alarming rates.  One area that these types of breaches are happening is within the healthcare sector and though other companies must deal with their own set of issues, the healthcare industry must deal with the aftermath of a security breach as the real victims of these breaches are patients’ medical identities.


Dealing with Synthetic Identity Theft

Usually, when news gets out that a data breach has occurred within a company, a large focus centers on when it happened, how many people were impacted, what information was hacked and how did the hacker get past security (assuming a security system was active).  Although there are other factors that are investigated, many forget that it can take time before whatever data was taken to impact those that were violated; patients whose medical identities were stolen become victims of synthetic identity theft.

Recently in Healthcare IT News, an article focused on this issue and point out that while other companies have their own set of problems that must be dealt with, the healthcare industry is left wondering what unknown impact it will have as well as a rise in medical fraud.  Chris Bowen, who is the founder, security officer and chief privacy of ClearDATA, said that, “It’s a rampant problem, and it’s not talked about enough.  There are victims out there, and it can take years to clean up after the mess. They have to take a lot of time to correct that record. But where do you go to correct it?”

Patients who have their data stolen would have to contend with many unknowns, such as how to make sure the cyber-criminal is not using the stolen information to commit fraud?  Even if during a breach, exposed data can be used to create a record that is incomplete, there is enough information that can be patched together to come up with a patient’s whole synthetic record.

Bowen said that, “Here’s a term: it’s called synthetic identity theft.  It means I can use little pieces of data from all over the place to create a new identity. The hacker may not take the whole thing, but I can stitch together an identity and credit report, or a medical record of you and others, and really rip off the healthcare system.”  He went on to say that, “People don’t need to pay for the theft.  Consider the Facebook breach of confidentials … Hackers had access to 50 to 90 million identities that they can now piece together to create new identities. It’s going to have a lasting effect.”


The Harvard Data Map

When looking at synthetic identity theft, a tool that is being used to understand its impact is known as the Harvard Data Map Project.  What it does is to track the flow of the records of a patient throughout the individual’s journey.  Although there are locations that are obvious, such as discharge data, payer and health provider, there are also vast amounts of other vendors that are considered third-party that might have all or some of the patient’s information.

Meanwhile, Bowen gives some suggestions on what patients need to be aware of, such as prioritizing an inventory of your information and every quarter doing a data inventory.  According to Bowen, “Once it’s a priority, organizations can start to find protected health information.  Critical tech first, as the most sensitive data are in them. Physical records are crucial as well, because then you can apply safeguards. There are different safeguard between records in the basement and the cloud.”


Anyone who has a patient identity should try to keep tabs on who has your information, where is it supposed to end up at and there is no easy fix if your identity is stolen.  Bowen said that, “Where is your data going? Victims of identity theft take years to fix their record, not to mention having to prove they didn’t subscribe to hundreds of opioid prescriptions,”

Patients Should Have a Checklist

One other note to add is that Bowen came up with a checklist that patients should have to protect themselves against being a victim of medical fraud.

  1. File a police report if your wallet or purse is stolen.
  2. Make sure to have a copy of your medical record as proof in case a thief alters it.
  3. Remember annually to review your medical information in checking for accuracy.
  4. Inquire how does your provider protect your information.
  5. Keep tabs on your insurance benefit notices and report any suspicious activity.
  6. Make sure if your insurance card gets lost to get a new one with a different ID number.