Posts

Medical Identity Theft: 12 Million Patients Breached

Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, about 11.9 million Quest customers were affected.

The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.

What Happened?

The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.

The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.

Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.

According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.

A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.

The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.

Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.

Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.

The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.

The Cybersecurity evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.

The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.

The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).

Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Why you want a Copy of your Medical Records

After receiving medical treatment, many people never look over the paperwork (save for bill total) and just shove it into some folder in a file cabinet. But medical identity theft is very much out there; know the signs:12D

  • You’re denied coverage because you allegedly have a condition you were never diagnosed with.
  • A collection agency is hounding you about unpaid medical bills you never had.
  • Your credit report shows medical collection notices.
  • The bill is for treatment you didn’t receive.
  • Your health care provider says you’ve reached your coverage limit.

Thieves steal identities to use the victim’s medical coverage, and this could prove life threatening to the victim depending on the victim’s health status. This is why you should keep records for all medical visits and treatments. Read everything carefully as though you’re searching for mistakes or mis-matched information. Keep records of all associated phone calls and e-mails.

But remember this: You always have a right to all of your records, so don’t let any resistance from the carrier make you give up.

  • If you run into problems getting any records, learn about your state’s health privacy laws.
  • Obtaining copies may require a fee.
  • Request a copy of “accounting of disclosures.” This tells who has ever received copies of your medical records, and when and why.
  • Look for mistakes and request corrections from the provider via certified mail.
  • If someone has stolen your medical identity, the provider may not want to turn over the records to you. Check the provider’s Notice of Privacy Practices and appeal to the contact person listed there.
  • With all that said, you should get the records within 30 days. If not, report this to the U.S. Department of Health and Human Services Office for Civil Rights.

Medical identity theft can result in you not receiving coverage for major treatment. Here are tips from vitals.lifehacker.com for prevention of this crime:

  • Never reveal your Medicare number to anybody in public, even if it’s a person inside a medical clinic lobby approaching you and offering a free service for Medicare users.
  • Never give your Medicare number over the phone. No exceptions, even if the caller is claiming to be from Medicare.
  • Check all medical bills for any odd charges, duplicate charges or errors.
  • If a charge appears unauthorized, promptly report it to the provider. If that doesn’t help, escalate it to Medicare if you’re on Medicare.
  • Contact the Federal Trade Commission if you suspect medical identity theft.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Medical Identity Theft can be deadly

Every time you have a medical procedure done, including routine checkups and treatment for minor issues, paperwork is generated. You should have copies of every single paper. This is one line of defense against medical identity theft.

Review your paperwork thoroughly for unauthorized or duplicate charges, mistakes with diagnoses, dates, names, anything that looks odd. Signs of medical identity theft include:

  • Being billed for treatment or diagnostics you never received.
  • Being told you’ve maxed out your coverage limit when you haven’t.
  • A collection agency claiming you owe a debt that you don’t owe.
  • Being denied coverage for a “pre-existing” condition that you don’t have.
  • Paperwork showing you saw a doctor you never did or were prescribed a drug you never were is a red flag.
  • An e-mail from your provider that requests you reveal sensitive information like your Medicare number is a big red flag. The subject line may be urgent, such as “Your Medical Coverage May Be Terminated.” Never click links inside these e-mails or fill out forms in them; instead contact your provider via phone. However, e-mails like these are scams; the thief knows if he sends 50,000 such e-mails out with his special software, a predictable percentage of recipients will “see” themselves in the message.
  • A one-ring phone call may be a thief who just obtained your medical records to see if your number is legitimate. Never call back.

Be Vigilant

  • If you suspect medical identity theft, keep strict records of all associated correspondence.
  • Immediately obtain all records if you already haven’t, including the “accounting of disclosures”; you have this legal right, even if you get flack from the provider. Contact the provider’s patient representative or ombudsman for assistance.
  • If you spot mistakes, even small, insist they be corrected.

Nevertheless, it’s usually not easy to detect medical ID theft. So let’s look at this in more detail:

  • If a collection agency contacts you, request they provide information immediately; promptly contact your provider and carrier.
  • Examine your credit report to see if it’s plummeted due to unpaid medical bills. The three major credit reporting agencies issue the reports free.
  • If your provider offers online access to your files, sign up for this service, then inspect it for mistakes.
  • Request records of imaging procedures.
  • If no online access is available, have your doctor read the results or send a snail mail copy.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Medical Identity Theft Protection And Prevention

Identity theft can be fatal to the victim — if it’s of the medical kind. Medical ID theft can result in getting the wrong blood type during a transfusion, the wrong diagnosis or the wrong prescription — all because the thief’s medical history gets integrated with the victim’s.

4DI hope you’re scared, because that’s my goal.

Up to 43 percent of ID theft is medical, says the Identity Theft Resource Center. The nonfatal fallout of medical identity theft can be quite dastardly, like the crook using your private data to commit other forms of ID theft.

Prevent Medical ID Theft

  • Always review your medical bills. Is a bill for service your child never received?
  • Never give your health insurance card to anyone for their use.
  • Shred medical documents you no longer need, including prescription information.
  • Every year, examine your credit report from the big three outfits.
  • Give your health insurance card the same protection you’d give a credit card. Contact your insurance company asap if it gets lost. In police reports, include it as a loss if it’s stolen.
  • If news breaks of a data breach involving a company you use, inquire about this.
  • Be especially alert to reviewing documents if you’ve been receiving extensive medical treatment.

Suspicious Activity

  • Call the provider and insurance carrier if you spot an unfamiliar charge on a medical bill.
  • Save all relevant documents and record the names of every person you connect with and the dates.
  • Contact the big three credit reporting agencies.
  • Filing a police report may be necessary.
  • If you’ve already been the victim of medical ID theft, inquire about the accuracy of your records with your provider, and request a copy of the records.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.