Posts

Medical Identity Theft: 12 Million Patients Breached

Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, about 11.9 million Quest customers were affected.

The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.

What Happened?

The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.

The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.

Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.

According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.

A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.

The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.

Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.

Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.

The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.

The Cybersecurity evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.

The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.

The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).

Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Medical Identity Theft can be deadly

Every time you have a medical procedure done, including routine checkups and treatment for minor issues, paperwork is generated. You should have copies of every single paper. This is one line of defense against medical identity theft.

Review your paperwork thoroughly for unauthorized or duplicate charges, mistakes with diagnoses, dates, names, anything that looks odd. Signs of medical identity theft include:

  • Being billed for treatment or diagnostics you never received.
  • Being told you’ve maxed out your coverage limit when you haven’t.
  • A collection agency claiming you owe a debt that you don’t owe.
  • Being denied coverage for a “pre-existing” condition that you don’t have.
  • Paperwork showing you saw a doctor you never did or were prescribed a drug you never were is a red flag.
  • An e-mail from your provider that requests you reveal sensitive information like your Medicare number is a big red flag. The subject line may be urgent, such as “Your Medical Coverage May Be Terminated.” Never click links inside these e-mails or fill out forms in them; instead contact your provider via phone. However, e-mails like these are scams; the thief knows if he sends 50,000 such e-mails out with his special software, a predictable percentage of recipients will “see” themselves in the message.
  • A one-ring phone call may be a thief who just obtained your medical records to see if your number is legitimate. Never call back.

Be Vigilant

  • If you suspect medical identity theft, keep strict records of all associated correspondence.
  • Immediately obtain all records if you already haven’t, including the “accounting of disclosures”; you have this legal right, even if you get flack from the provider. Contact the provider’s patient representative or ombudsman for assistance.
  • If you spot mistakes, even small, insist they be corrected.

Nevertheless, it’s usually not easy to detect medical ID theft. So let’s look at this in more detail:

  • If a collection agency contacts you, request they provide information immediately; promptly contact your provider and carrier.
  • Examine your credit report to see if it’s plummeted due to unpaid medical bills. The three major credit reporting agencies issue the reports free.
  • If your provider offers online access to your files, sign up for this service, then inspect it for mistakes.
  • Request records of imaging procedures.
  • If no online access is available, have your doctor read the results or send a snail mail copy.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Frequently Asked Questions About Identity Theft

I remember my teachers always telling me there are no stupid questions. When it comes to identity theft, this is especially true. The more you know about identity theft, the better prepared you will be to prevent it from happening to you. Here are some commonly asked questions about identity theft.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813What is identity theft?

Identity theft is when a person pretends to be you to access money, credit, medical care, and other benefits. They acquire your identity by stealing and using your personal information like government ID number or bank account number. Once they have this information, identity thieves can really wreak havoc on your life; for example, they can clear out your bank account. They can also impersonate you in order to get a job or commit a crime. It can take a long time to clean up the mess.

Does identity theft only have to do with stealing money or credit?

No, financial identity theft, using your personal information to access your money or credit, is not the only type of identity theft, although it is the most common. There are other kinds of identity theft identity theft. Medical identity theft is when someone uses your information to receive medical care. Criminal identity theft is when someone takes over your identity and assumes it as his or her own. They can then give your name to law enforcement officers and voilà—you have a criminal record.

What are some things I can do to protect my identity online?

  • Be choosy. Be careful when sharing personal information online. Just because a website is asking for your information doesn’t mean it’s necessary to provide it to them. Ask who wants the information and why. Also, limit the amount of information you share on social media. Does everyone need to know the year you were born?
  • Think twice. Use caution when clicking on links and opening email attachments. If the link or attachment is from someone you don’t know, don’t open it.
  • Use secure Wi-Fi. When shopping or banking online, make sure you are using a secure wireless connection.
  • Permanently delete files from your PC. Putting your files in the recycle bin isn’t enough. Your device will still have the files and therefore, are accessible to identity thieves. Use security software, like McAfee LiveSafe™ service, that includes a digital shredder to make sure those files are truly wiped from your PC.
  • Install security software. Make sure all your devices have comprehensive security software like McAfee LiveSafe that protects all your PCs, Macs, tablets and smartphones.

What are things I can do to protect my identity offline?

  • Shred. Use a cross-cut shredding machine, or scissors to shred old credit card statements, offers, receipts, etc., to prevent dumpster divers from obtaining your information and creating accounts in your name.
  • Have a locked mailbox. This will keep thieves from stealing your mail, especially bank statements and credit card offers.
  • Secure your files. Get a fire-proof safe to store sensitive documents including credit cards you hardly use.
  • Keep an eye on your bank and credit card statements. Look for questionable activity.
  • Be careful when using ATMs. When you insert your ATM card into a compromised machine or run your credit card through a phony card reader, you could become a victim of skimming. Skimming is where a hacker illegally obtains information from the magnetic strip on the back of your credit or ATM card. This information can then be used to access your accounts or produce a fake credit card with your name and details on it.

How do I know if my identity has been stolen?

This list is not comprehensive but gives you a good idea on what to look out for.

  • You receive a bill for a credit card account that, though in your name, is not yours. This probably means a thief opened the account in your name.
  • You’re no longer receiving your usual snail mail or email statements. Contact the issuer to find out why.
  • Unfamiliar purchases on your credit card, even tiny ones (crooks often start out with small purchases, and then escalate). Challenge even a $4 purchase.
  • You receive a credit card or store card without having applied for one. If this happens, immediately contact the company.
  • Your credit report has suspicious information, like inquiries for credit that you didn’t make.
  • Collectors are calling you to collect payments you owe, but you owe nothing.
  • Your credit score is high (last time you checked), but you were denied credit for a loan or new credit card. A thief can easily ruin a credit rating.

If my identity is stolen, what should I do?

Finding out that your identity has been stolen can be stressful. First, take a deep breath then follow these initial steps.

  • Contact your local or national law enforcement agency. File a report that your identity has been stolen.
  • Call your bank and credit card companies. Notify them of fraudulent activity. They may be able to reimburse you for any money lost or close any unauthorized accounts.
  • Check with credit reference agencies. Ask them to set up a fraud alert. Also, check to see if anyone has tried to get credit using your name.
  • Keep records. Keep track of all conversations and paperwork, the more detailed the better. Organize your data into one centralized place. This can be used as evidence for your case and can help you resolve the mess that identity theft can create.

To learn more about how you can protect yourself from identity theft, check out the Intel Security Facebook page or follow @IntelSec_Home on Twitter.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Medical Identity Theft Can be Deadly

If you feel like you are starting to get the flu, going to the doctor’s office can get you some medicine and get you on the road to recovery. But, there’s no pill or surgery that can protect you from medical identity theft—which can kill you. Literally. The thief who steals your identity doesn’t mean to kill you; he just wants to obtain free medical care on your dime.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813If a thief has access to your personal information, he can pose as you and see doctors and have procedures done—for free or for a nominal copay. The crook uses fake IDs and phony insurance cards to pull off this scam.

The problem really starts kicking in when the imposter’s medical situation gets tacked onto your medical record—since they are posing as you. This can result in a number of harmful outcomes for you. Not only can it potentially cause misdiagnoses, you could be issued a prescription to a drug that you have a fatal reaction to.

Just think about it for a moment: Someone else’s medical condition getting integrated with yours. This can cause a lot of problems. You could be denied medical coverage or lose your current coverage because of false information in your medical records. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) protects your right of access to your medical records. If someone else is pretending to be you and accessing your records, you might not be able to access your own records. That’s a scary thought.

But even you are lucky enough not to suffer any negative consequences to your health as a result of the medical identity theft, cleaning up the mess can be enough to give anyone a heart attack.

So how can you prevent becoming a victim of medical identity theft?

  • Protect your mail: Install a locking mailbox so no one can access your mail.
  • Keep medical documents secure: Keep all of your hard copy medical documents in a file that locks. If it’s in cyberspace, make sure the files are encrypted and not in folder on your desktop that says “Medical.”
  • Shred all medical documents: Make sure to properly dispose of your medical documents so you don’t become a victim to dumpster-diving thieves. This includes digital files as well.McAfee LiveSafe (put tm in here and links this) service comes with a digital shredder that uses higher than government standard file shredding—don’t rely on simply putting something in the “trash bin” on your computer and then emptying it.
  • Leave medical cards at home: Only take them when you are visiting the doctor. If you’re worried you might need them in the event you have an accident and need immediate medical treatment, memorize your health ID number. If you’re unconscious upon arriving at an ER, you’ll get treated anyways—it’s the law. Simply provide your medical card after the fact. Don’t carry identity cards either: Identification cards or Social Security number cards should also be left at home in a safe place. Since many medical systems use these numbers as your identifier on the policy, you don’t want them falling into the wrong hands. And with access to these cards, a thief could easily create the fake credentials needed to commit medical identity theft.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Medical Identity Theft Protection And Prevention

Identity theft can be fatal to the victim — if it’s of the medical kind. Medical ID theft can result in getting the wrong blood type during a transfusion, the wrong diagnosis or the wrong prescription — all because the thief’s medical history gets integrated with the victim’s.

4DI hope you’re scared, because that’s my goal.

Up to 43 percent of ID theft is medical, says the Identity Theft Resource Center. The nonfatal fallout of medical identity theft can be quite dastardly, like the crook using your private data to commit other forms of ID theft.

Prevent Medical ID Theft

  • Always review your medical bills. Is a bill for service your child never received?
  • Never give your health insurance card to anyone for their use.
  • Shred medical documents you no longer need, including prescription information.
  • Every year, examine your credit report from the big three outfits.
  • Give your health insurance card the same protection you’d give a credit card. Contact your insurance company asap if it gets lost. In police reports, include it as a loss if it’s stolen.
  • If news breaks of a data breach involving a company you use, inquire about this.
  • Be especially alert to reviewing documents if you’ve been receiving extensive medical treatment.

Suspicious Activity

  • Call the provider and insurance carrier if you spot an unfamiliar charge on a medical bill.
  • Save all relevant documents and record the names of every person you connect with and the dates.
  • Contact the big three credit reporting agencies.
  • Filing a police report may be necessary.
  • If you’ve already been the victim of medical ID theft, inquire about the accuracy of your records with your provider, and request a copy of the records.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Medical Identity Theft: Ins and Outs

Medical identity theft is the deadliest form of identity theft—and I say this without hyperbole or exaggeration. When financial gain is the general motivation for stealing medical information, insurance cards, records, etc., the crime is a form of account takeover fraud. Medical identity theft—the real kind—occurs when the thief’s motivation is obtaining medical procedures or healthcare.

Insurance cards allow access to a hospital or doctor’s office. When requests for additional forms of identity are requested, the thief produces fake IDs. Often, the thief conspires with an employee at the facility who “sweethearts” the transaction so the thief can get medical services.

Insurance cards are just paper or plastic and can easily be counterfeited. Many are often lost or stolen, and simply possessing an insurance card allows a thief access. Hospitals rely on the honor system, believing patients are who they say they are—but people lie. And while most of the administrators are doing their jobs ethically, some lie too.

When a thief steals a medical ID to procure medical care, the thief’s medical condition and diagnosis are added to the victim’s medical record. Ouch. This may end up as a misdiagnosis, and the introduction of data that might conflict with the victim’s medical history or conditions. Such would-be contraindications as allergies, drugs the victim may be allergic to, and other health issues may not be considered. Finally, getting misinformation or fraud removed from a victim’s medical record can be extremely difficult and sometimes impossible.

To protect yourself from medical identity theft:

  • Install a locking mailbox. This helps prevent mail from being stolen.
  • Never carry insurance or medical cards on your person unless you have an actual appointment.
  • Protect medical information documents in locking file cabinets or encrypted files. Shred all throwaway documents.
  • Get identity theft protection. When a thief can’t steal your financial ID, your medical ID will be less attractive.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.