Posts

Medical Identity Theft: 12 Million Patients Breached

Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, about 11.9 million Quest customers were affected.

The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.

What Happened?

The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.

The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.

Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.

According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.

A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.

The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.

Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.

Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.

The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.

The Cybersecurity evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.

The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.

The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).

Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Why you want a Copy of your Medical Records

After receiving medical treatment, many people never look over the paperwork (save for bill total) and just shove it into some folder in a file cabinet. But medical identity theft is very much out there; know the signs:12D

  • You’re denied coverage because you allegedly have a condition you were never diagnosed with.
  • A collection agency is hounding you about unpaid medical bills you never had.
  • Your credit report shows medical collection notices.
  • The bill is for treatment you didn’t receive.
  • Your health care provider says you’ve reached your coverage limit.

Thieves steal identities to use the victim’s medical coverage, and this could prove life threatening to the victim depending on the victim’s health status. This is why you should keep records for all medical visits and treatments. Read everything carefully as though you’re searching for mistakes or mis-matched information. Keep records of all associated phone calls and e-mails.

But remember this: You always have a right to all of your records, so don’t let any resistance from the carrier make you give up.

  • If you run into problems getting any records, learn about your state’s health privacy laws.
  • Obtaining copies may require a fee.
  • Request a copy of “accounting of disclosures.” This tells who has ever received copies of your medical records, and when and why.
  • Look for mistakes and request corrections from the provider via certified mail.
  • If someone has stolen your medical identity, the provider may not want to turn over the records to you. Check the provider’s Notice of Privacy Practices and appeal to the contact person listed there.
  • With all that said, you should get the records within 30 days. If not, report this to the U.S. Department of Health and Human Services Office for Civil Rights.

Medical identity theft can result in you not receiving coverage for major treatment. Here are tips from vitals.lifehacker.com for prevention of this crime:

  • Never reveal your Medicare number to anybody in public, even if it’s a person inside a medical clinic lobby approaching you and offering a free service for Medicare users.
  • Never give your Medicare number over the phone. No exceptions, even if the caller is claiming to be from Medicare.
  • Check all medical bills for any odd charges, duplicate charges or errors.
  • If a charge appears unauthorized, promptly report it to the provider. If that doesn’t help, escalate it to Medicare if you’re on Medicare.
  • Contact the Federal Trade Commission if you suspect medical identity theft.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Scammers Use Medical Issues To Prey On People’s Good Nature

While there are some mean and nasty people out there, generally people are nice, kind and cordial. We are conditioned from birth to be civil towards each other.

However, those mean and nasty’s seem to pop up all the time and ruin someone’s day.  One scam in particular that has always intrigued me revolves around health issues.

Organ transplant scam – In New Hampshire “a man who almost conned a 73-year-old Maine woman out of $35,000 by claiming he needed a liver transplant has agreed to plead guilty as part of a plea deal he struck with prosecutors. He told her that he would die without the transplant; the scammer also allegedly told police that God told him he needed the operation and he convinced the woman that he was interested in her romantically, and had once stayed over at her home. His alleged plan was to have the woman take out a loan against the equity of her house.”

Cancer scam – In another case “a Michigan woman convicted of scamming thousands of dollars from donors by drugging her 12-year-old son to make him appear to have cancer. The scammer elicited donations from individuals, groups and members of at least one church who believed they were helping to pay for her son’s medical care as he underwent chemotherapy. She is accused of shaving her son’s head and eyebrows. Court records show she told her son he had leukemia.”

These medical scams are generally successful because someone somewhere is going to tap into their good nature and help out. And while I suggest helping out whenever possible, simply beware of medical and disease scams and be careful who you donate to. You can always do some deeper checking with the hospital the person says they are being treated at. This in most cases will stop the scammer on their tracks.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.