Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

The Risks Of Buying Drugs Online

Everyone loves a good deal. And the Internet provides several sources of deals and discounts. If you seek deals on prescription drugs, there are several things you should know so you don't get "mugged" by a rogue online pharmacy website.

Earlier this year, the National Association of Boards of Pharmacy (NABP), which accredits online drugstores, released the results of a study where it reviewed more than 9,600 online pharmacies. Key results:

• Most are rogues sites: 96.6% (or 9.349 of 9,677 online pharmacies reviewed) operated out of compliance with existing laws and standards
• Only 2.7% (259 online pharmacies) to be legitimate websites, and 0.7% (69 sites) were accredited through an NABP verification program
• Of these 9,349 online pharmacies, 8,122 don't require a valid physician's prescription
• 4,648 offer foreign or drugs not approved the U.S. FDA
• 3,363 have internet servers outside the USA
• 1,523 don't have secure web sites

The problem is intensified by drugs that are in short supply. Fraudsters know this and try to take advantage of the situation:

"The most critical shortages involve cancer, antibiotic, nutrition, and electrolyte-imbalance medicines, according to the FDA. For many community pharmacies, health-system pharmacies, and patients the lack of availability of needed -- and often life-saving -- medications through official, authorized supply channels means resorting to unconventional and more dangerous means of obtaining the medications, sometimes turning to unknown sellers online. The unfulfilled demand for these medications has created a lucrative market for counterfeiters..."

The results: several risks to consumers. One risk is that you may not get what you paid for:

"... health care facilities and patients have no assurance that the substances they receive are what they are purported to be. Many of the replacement drugs purchased online are unregulated, meaning there are no safeguards in place to ensure their identity, safety, efficacy, where and under what conditions they were made, or how they were handled."

A second risk is to your health. Counterfeit drugs can fail to address your medical conditions, make you sicker, or kill you:

"... two-thirds of the online drug sellers discovered in this study are represented on the NABP list of Not Recommended sites. These illegal online drug sellers pose serious risks to patient health. The risk is especially high with vaccines..."

A third risk is identity theft or fraud at those online pharmacies that operate unsecured sites.

Earlier this year, the U.S. Congress House Committee on Oversight and Government Reform investigated "gray market" companies, that operate outside of authorized drug distribution networks to provide short-supply drugs at hugely inflated prices. In July 2012, the committee released its report (Adobe PDF), which found:

"... a growing number of prescription drugs sold in the United States have experienced supply shortages. Because these shortages have been most severe among a group of injectable drugs used to treat patients with cancer and other serious illnesses, they have had a particularly serious impact on hospitals... During drug shortages, hospitals are sometimes unable to buy drugs from their normal trading partners, usually one of the three large national “primary” distributors... some short-supply injectable drugs do not reach health care providers through the manufacturer-wholesaler distributor-dispenser chain that policymakers and industry stakeholders present as the typical model for drug distribution. Instead, these drugs “leak” into longer gray market distribution networks, in which a number of different companies – some doing business as pharmacies and some as distributors – buy and resell the drugs to each other before one of them finally sells the drugs to a hospital or other health care facility. In more than two-thirds (69%) of the 300 drug distribution chains reviewed in this investigation, prescription drugs leaked into the gray market through pharmacies. Instead of dispensing the drugs in accordance with their professional duties, state laws, and the expectations of their trading partners, these pharmacies re-sold the drugs to gray market wholesalers..."

The investigation also found:

"... a number of businesses holding pharmacy licenses that do not dispense drugs, but instead appear to operate for the sole purpose of acquiring short-supply drugs that can be sold into the gray market.... Some gray market wholesalers gain access to shortage drugs by recruiting pharmacies to act as their purchasing agents..."

The impact is far higher drug prices than otherwise for health care facilities, hospitals, and consumers.

The NABP operates several online pharmacy accreditation programs, including the Verified Internet Pharmacy Practice Sites (VIPPS), the Veterinary-Verified Internet Pharmacy Practices Sites (Vet-VIPPS), and the e-Advertiser Approval Program. The NABP has appllied to the Internet Corporation For Assigned Names and Numbers (ICANN) for a specific domain-name to help consumers recognize accredited online pharmacies.

To protect yourself online, experts advise consumers to:

1. Buy drugs online from reputable stores you already know
2. Look for NABP VIPPS and Vet-VIPPS symbols when shopping
3. Visit AwareRX.org, which maintains lists of both NABP-recommended and not-recommended online pharmacy websites
4. Visit SafeMedicines.org operated by the Center for Safe Internet Pharmacies (CSIP), which contains a tool for patients to check if doctors in their state purchased counterfeit cancer medications
5. Watch this public service announcement produced by the CISP:

Download the full NABP report: "Internet Drug Outlet Identification Program Progress Report for State and Federal Regulators: April 2012" (Adobe PDF).

When Worlds Collide

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

How To Evaluate A Health Care Debit Card Plan From Your Employer

A blog post on Tuesday described Caren's experience with her United Healthcare Consumer Accounts Card, a specialized debit card her employer provided for Flexible Spending Account (FSA) expenses. That blog post highlighted what can go wrong with a health care debit card.

I wanted to take a closer look at the card agreement, and see what broader issues might apply in general. Today's blog post includes my findings about several items employees should be aware of when considering a health care debit card plan. I am not an attorney, so this is not legal advice -- just my observations and opinions as a consumer -- like you tyring to navigate a complex world. If you need legal advice, hire an attorney.

First, healthcare debit cards are similar to traditional debit cards, but with several important differences. Employees must understand how they work and when fees apply, just as you would with a traditional debit card with your bank checking account. So, it is important to closely read all appliable agreements, terms, or policies y to know your rights and responsibilities -- especially when bad things happen.

The introduction to the United Healthcare Consumer Accounts Card agreement (Adobe PDF; which is also available here) lists some important warnings:

"At the register or cashier: This is not a credit card, but you will need to choose “credit” when making purchases... At the pharmacy, supermarket or other retail store: Pay for eligible over-the-counter (OTC) supplies and materials. Please note: The card will be rejected if purchasing OTC medicines, even when prescribed..."

Select "credit" at the point-of-sale even though the card says "Debit" on its face? Prescribed OTC medicine will still be rejected? These exceptions sound like a recipe for employee confusion and rejected purchases. While the agreement states that it is a MasterCard Debit, I wonder if the bank tweaked a traditional credit-card payment solution for health care purchases and rushed it to market without removing all the bugs first.

What comes to mind is that old saying: never buy the first year of a new car production (and wait until the manufacturer gets all of the bugs out). Seems to apply to payment solutions, too.

Section #2 of the same agreement states:

"When you use the Card, you represent and warrant that you will not submit, and have not previously submitted, a claim for reimbursement for the same expenses under any other plan or program. You agree to save all invoices or receipts that are provided to you by merchants and service providers when you use the Card. You agree to provide a copy of any such receipt to us or United Healthcare, promptly on request. If you fail to submit a receipt when it is requested, under IRS rules, the amount in question may not be excluded from your gross income for federal tax purposes or may otherwise result in financial penalties to you. Your use of the Card is subject to the terms and conditions of the Plan, as well as the terms and conditions of this Agreement..."

So, employees must still save all purchase receipts. The health care debit card doesn't eliminate all paperwork. The last sentence in the above clause is important because it highlights the fact that several policies apply. It would be helpful if this agreement listed all applicable policies. My estimate is that at least five different policies apply:

1. Consumer Accounts Card Agreement,
2. United Healthcare HIPAA Privacy Policy,
3. Any additional policies at myUHC.com,
4. Employee handbook or manual,
5. Optum Bank policy

Employees should not have to guess which policies apply. It would be best for employees if a single, consolidated policy applied, but unfortunately American business does not operate that way today.

Let's return to the Consumer Accounts Card agreement, which also states:

"You agree that you will only use the Card to pay for eligible expenses under the Plan... if you use the Card for anything other than an eligible expense, you will be liable for any taxes, penalties and other expenses payable under applicable law and any expenses we, United Healthcare or your employer may incur as a result of such impermissible use. Upon demand, you agree to reimburse us, United Healthcare or your employer, as the case may be, for any such use for non-eligible expenses..."

While employees may think that ineligible FSA expenses are automatically blocked at the point-of-sale, the agreement governs what really happens. The Consumer Accounts Card payment process may indeed block some ineligible purchases, but United Healthcare and the bank seem to have left themselves a convenient loophole where employees are still liable. It would be helpful if the agreement stated what those amounts of taxes, penalties, and other expenses could be. It seems risky to use a debit card when you don't know the exact amount of fees that might apply.

Second, employees should be aware of their responsibilities to avoid liability. The "Consumer Liability" portion of the agreement states:

"Tell us AT ONCE if you believe your Card has been lost or stolen. Telephoning is the best way of keeping your possible losses down. If you tell us within 4 business days, you can lose no more than $0 if someone used your Card without your permission. (If you believe your Card has been lost or stolen, and you tell us within 4 business days after you learn of the loss or theft, you can lose no more than $0 if someone used your Card without your permission.)"

This four-day time period seems unreasonably short. My bank allows 60 days from my statement to dispute a charge on that statement. Does United Healthcare expect employees to check their online FSA account every four days? The next portion of the agreement states what happens when employees provide notice after the four-day window:

"If you do NOT tell us within 4 business days after you learn of the loss or theft of your Card, and we can prove we could have stopped someone from using your Card without your permission if you had told us, you could lose as much as $50."

Now, the liability sounds more like the liability with a traditional credit card: $50. What I find troubling about this clause is that it assumes traditional theft or loss. This blog has documented numerous examples of identity thieves plant skimming devices inside point-of-sale terminals at gas stations, supermarkets, and other retail stores to steal consumers' data to clone debit cards. Since employees are forced to use health care debit cards at retail stores, a more relevant agreement would provide tips about what to do if they believe their card has been cloned. Perhaps the myUHC.com site explains this, but I don't have a myUHC.com account.

The agreement also states (emphasis added by me):

"... if the statement you receive from the Plan administrator shows transfers that you did not make, tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you could lose as much as $50 if we can prove that we could have stopped someone from taking the money if you had told us in time."

Again, that sounds like traditional credit card liability (e.g., $50), but at least the window for notice is longer at 90 days. Why lead with the four day clause? It seems unnecessary. In Caren's case, it seems that United Healthcare is enforcing the 90-day clause. What I find troublesome about the above clause is that it assumes paper statements sent via postal mail. In reality, employees' statements are available online. Nothing is sent via postal mail. So, why write the agreement assuming this? It sounds like the card agreement was rushed to market without all the bugs removed.

Another portion of the agreement states:

"ALL QUESTIONS ABOUT TRANSACTIONS MADE WITH YOUR CARD MUST BE DIRECTED TO THE BANK, AND NOT TO YOUR EMPLOYER OR PLAN ADMINISTRATOR. The Bank is responsible for issuing the Card and for resolving any errors in transactions made with your Card. The transactions will appear only on the statements provided to you by the Plan administrator."

It would be helpful if the agreement listed the bank's phone and postal address information. I couldn't find it in the agreement. The agreement lists United Healthcare's phone and postal address information. In my experience, well-written agreements provide both phone and postal address information with any instructions where consumers should give notice. Perhaps, the other policies provide this information, but I don't have a myUHC.com account.

SO, let's see if I got this correct. The agreement directs employees to contact United Healthcare for transfers the employee didn't make, but contact the bank about statement "errors."What's the difference? How are employees to tell? This sounds confusing.

It troubles me that the above clause mentions "errors" and doesn't mention "fraud." I would expect any bank to aggressively investigate suspected fraud. The fact that Optum Bank's flow of funds page still presents a 2008 copyright does not give me much confidence in the bank:

If something this simple still says 2008, what else has this bank missed? Or, should consumers conclude that the Optum web site hasn't been updated in four years? Or is this flow-of-funds information that is four-years old and/or obsolete? I would expect more timely and current information from any bank -- especially one processing my extremely sensitive health care information.

The "Fees" section of the agreement states:

"OptumHealth Bank does not charge usage fees for this card."

No fees are good, because banks can apply a wide variety of fees to debit-card accounts.However, it means that employees should monitor any changes in the card agreement. Things might change with new fees introduced. So, employees should read any updates to the card agreements or policies with their health care debit cards.

Now, let's return to Caren's story. The fact that Caren never used the Medco online pharmacy should be a huge "red flag" to Optum Bank, Large HR Firm, and United Healthcare. It suggests that Caren's payment information was stolen. The payment data on Caren's Consumer Accounts Card could have been stolen via a skimming device, which identity thieves plant inside point-of-sale terminals at retail stores and gas stations -- not just at bank ATM machines.

If Caren's Consumer Accounts Card was not cloned via skimming device theft, then a couple other options are possible. The pharmacy may have re-submitted the purchases it originally rejected -- and if so, it should have notified Caren, and reimbursed her for the purchases she paid out-of-pocket. Caren could test this by using a different pharmacy. If the duplicate charges don't happen at the second pharmacy, then it is reasonable to assume a problem at the first pharmacy. If the duplicate charges continue, then it seems safe to assume that her debit payment data was stolen.

Insider identity theft is always a possibility. It's harder for employees to spot, but it does happen.

What should employees do if your employer offers a specialized debit card for healthcare expenses? I suggest the following steps:

• Read all applicable policies to know your rights and responsibilities -- especially before registering for a FSA with your employer. Your employer may have negotiated a really good deal for its employees, or not. Don't blindly assume so; read the fine print in the agreement first. Part of evaluating if it's a good deal is looking for certain clauses in the agreement -- like the ones listed above. If you have difficulty reading contracts, get help from a trusted friend, family member, or attorney if you can afford one.
• Use the Internet to find reviews written by employees about their health care debit card plan. Places I like to look include Consumer Reports, The Consumerist, and Epinions.
• File a police report with local law enforcement. (In Caren's case, somebody spent money from her FSA account without her authorization. That is theft.) Insist on law enforcement accepting the report. Make several copies. Attached the police report to any complaints filed with your employer, the FSA healthcare administrator, and the bank,
• Use a different pharmacy. If the duplicate charge problem stops, it is reasonable to assume a problem at the first pharmacy, and file a police report accordingly,
• If you feel that you aren't getting the services promised by the bank which processes your health care debit card transactions, learn about how to file a complaint against your bank.
• File a fraud complaint with the U.S. Federal Trade Commission (FTC) including any relevant documents (and non-action by employer, HR Firm, health care firm, and bank). This will help the FTC track any emerging theft trends with health care debit cards.
• If there is no action by the employer, HR Firm, healthcare firm, and/or bank), write a letter to your federal or state elected officials asking for help. It's part of their jobs -- to help their constituents.

Is the United Healthcare Consumer Accounts Card a good deal? Only you can decide for yourself, as everyone's needs are different. Hopefully, I have highlighted the things consumers should look for in any health care card agreement, so you can make an informed decision.

If you use a specialized debit card for health care expenses, what has been your experience?

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

Report: Health Care Industry Privacy, Security, and Data Breaches

Last month, the Deloitte Center for Health Solutions released a new report, "Privacy and Security in Health Care: A Fresh Look." The report identified the risks about privacy and security breaches within the health care industry, and recommended solutions for health plans, information technology vendors, and both federal and state health agencies.

The report found several reasons for increased risks:

• Lack of internal resources (human resources and capital)
• Lack of internal control over patient information
• Lack of upper management support
• Outdated policies and procedures
• Inadequate training of staff and personnel

According to Paul Keckley, Ph.D., and executive director of the Deloitte Center for Health Solutions:

"Medical fraud is a serious issue, and 67 percent of consumers we polled believe fraud has a major influence on driving up the overall cost of healthcare."

The Health Insurance Portability and Accountability Act (HIPAA), enacted in April 2003, requires health care organizations to report data breaches of 500 or more records. Deloitte analyzed the breaches by organization type:

• 71% - Health Care Provider
• 16% - Health Plan
• 14% - Hybrid Entity

About one-third of all health care breaches result in medical identity theft; patients' health records were used by identity criminals. Deloitte also analyzed the data breaches by equipment type:

An important summary:

"The total economic burden created by data breaches in the health care industry is nearly $6 billion annually. The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580."

Located in Washington, D.C., the Deloitte Center for Health Solutions is the health services research unit of Deloitte LLP, the accounting and consulting company.The unit provides research for various Deloitte operations. Its research activities focus on three areas:

"1. Health policy and health reforms in the U.S. health care system;
2. Disruptive innovations that result in innovative solutions to improve efficiency and effectiveness, and
3. Consumerism, incorporating how end users of health goods and services think and behave."

The report does a good job of explaining the status of various legislation (e.g., HIPAA, ARRA, Red Flags, HITECH) about data security for the health care industry. The report also provides a glossary of terms.

Given the risk factors, the ongoing history of data breaches, and the rapid pace of change with new technologies (e.g., mobile devices), I don't see this situation improving quickly nor soon. To learn more, download the Deloitte Center report (595k bytes, PDF).

The Benefits Of Being An Identity-Theft Victim

Several studies and surveys have documented the pain and frustration consumers experience when they become identity-theft victims. Much time is spent documenting the damage and submitting paperwork to law enforcement and financial institutions. Much time and money are spent fixing the damage to financial accounts done by identity thieves. It can be extremely difficult to fix the damage to medical records. Usually, lawyers must be hired and money paid for credit report monitoring services and identity resolution services.

With all of this downside, I have come to believe that there is an upside to identity theft and fraud. Since I started writing this blog in 2007, I have talked with many consumers about their experiences. I am not referring to credit card fraud, because the process is pretty easy and of minimal impact to consumers. Their credit card issuer usually provides a replacement card and account; and the consumer is out up to $50.

The fraud I refer to includes:

• When identity criminals open new accounts or gain credit in the victim's name; or drain their financial accounts
• When identity criminals obtain health card services using the victim's information. This medical fraud results with the victim's and the criminal's medical conditions and treatments mixed together; a situation not easily nor quickly corrected
• When identity criminals commit crime using the victim's name and address information

Most people ignore the whole issue until it happens to them. Then, they want to learn everything they need to know, so it doesn't happen again and they can fix any problems.

The list below is based on my experiences, as a consumer like you. The benefits I see of being an identity theft victim:

• Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
• Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
• Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
• Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
• Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
• Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action.

So, a painful event can often result in something positive. What do you think?

7 Ways To Protect Your Medical Records

The recently passed health care reform legislation in Washington included directives for doctors and hospitals to covert patients' medical records to electronic formats. That's a lot of good news.

The bad news: identity thieves view patients' medical records like gold. These records contain the most sensitive patient information (e.g., Social Security number, address, birth date, payment history and method) needed to create a new identity or assume another person's identity. Plus, experts say it can cost over $20,000 per victim to fix your medical records.

The AARP Bulletin reported the results of the National Study on Medical Identity Theft by the Ponemon Institute. The article listed seven tips for consumers to protect their medical records:

1. Ask your health care provider to demand photo IDs from all patients to receive services.
2. Ask your doctor(s) to make copies for you of everything in your medical file(s).
3. Read every letter and notice you receive via postal mail from your doctor and health insurer. Check the dates, descriptions, and amounts to verify that the document covers a valid visit or procedure for you.
4. Ask your health care provider or doctor for a list of benefits paid in your name and an "accounting of disclosures" to see who has received a copy of your medical record.
5. Review your credit reports yearly for health care billing errors or fraudulent medical entries.
6. Contact your health insurer immediately if you lose your insurance card.
7. Avoid Internet and storefront retailers offering free treatments and supplies.

As Criminals Target Elders And Retirees For Fraud And Identity Theft, Several Resources Emerge

While this blog has focused primarily on data breaches affecting consumers broadly, over the past few weeks I have noticed a trend in scams and threats that target elders and retirees. I use the term "elders" because not elders (e.g., people over 50 years of age) are retirees, and not all retirees are elders. Like any other consumer segment, elders and retirees can be vulnerable because the use the same online technologies as other age groups.

First some facts. Pew Internet reported broadband access by age groups: about 59% for consumers ages 50 - 54; 57% for ages 55 - 59; 48% for ages 60 - 64; 42% for ages 65 - 60; and 30% for ages 70+. MediaPost reported than profiles at social networking sites is increasing among older Americans. While 78% of teens has social net profiles, the penetration is 77% for ages 18 24; 65% for ages 25 to 34; and 51% for ages 35 to 44.

These statistics don't surprise me because there are plenty of blogs written by and for elders. To learn more, Ronni Bennett, author of Times Goes By, maintains an excellent elder blogroll.

E-mail phishing scams affect consumers of all ages. ATM skimming devices steal from ATM users of all ages. Gas pump skimming devices steal from auto drivers of all ages. A prior blog post covered some of the retirement abuses by senior company executives. There is more to the problem that this. Many elders are larger consumers of health care and 5.8% of U.S. adults have alrady been victims of medical identity theft.

In Alabama, scammers were going door-to-door attempting to sell to elders "ObamaCare" health plans that were overpriced, unnecessary and contained insufficient coverage. In Hawaii, an elder man was financially abused and driven deeply into debt after giving away his durable power of attorney to a female acquaintance who used it to drain his bank account and opened new credit cards and a reverse mortgage.

Last week, at a conference on aging in Marlborough, Massachusetts, Governor Deval Patrick and Attorney General Martha Coakley advised elders:

• While technology changes, many of the same scams persist
• If an offer sounds too good to be true, it probably is
• Offers with "you must act now" are a tip-off of a probable scam
• Be aware of credit card fraud and fake charities
• Protect their sensitive personal and bank account information

Earlier this month, Arizona Attorney General Terry Goddard hosted a seminar to teach consumers of all ages about how to detect and avoid scams targeting elders. The free session covered identity theft, Internet safety, elder abuse, and Medicare fraud. Another seminar occurred in March at the Sun Lakes Center of Chandler-Gilbert Community College. Arizona also operates a "Senior Anti-Crime University."

The New York Department of Aging (DFTA), the Department of Consumer Affairs (DCA), the Aging in New York Fund and the American Museum of Finance jointed developed an interactive financial education game titled "It's My Money" to educate elders on identity theft and fraud scams. The game, launched in February 2010, can be downloaded for free and is designed for play in group settings, such as community centers. Versions of the game are in English, Spanish, Russian, and Chinese.

Also in February, the Institute for Financial Literacy launched the Project SCREEN (Senior Citizen & Retiree Empowerment Education Network) program to train senior service providers to teach financial literacy skills to their clients because elders are targets of fraud, identity theft, and financial abuse.

Next month, a representative from the Pennsylvania Attorney General's office will share the latest scams by identity thieves at a seminar for elders in Wyoming County near Wilkes-Barre.

To find information and upcoming events where you live, contact the attorney general office or consumer protection office in your state or county government.

Medicare Fraud: What It Is And How To Avoid Becoming a Victim

What is medicare fraud? In the Medford Transcript via Wicked Local, Dan O'Leary provides a definition for elders:

"Medicare fraud occurs when an individual receives Medicare benefits to which they are not entitled. How would this work? Perhaps someone approaches you in a parking lot and offers you free groceries if you give them your Medicare number. Or, maybe you receive a telephone call from a person who claims to be conducting a survey and asks for your Medicare number."

You should not disclose your Medicare number in either of the above situations. How to protect yourself:

"You should only divulge your Medicare number to your doctors and other providers approved by Medicare. To see if a provider is approved by Medicare, call 1-800-MEDICARE (1-800-633-4227). In addition to protecting your personal information, you should treat your Medicare benefits like any other valuable service. Be wary of offers that claim to provide Medicare services for free. Be cautious of any health provider that says it has been endorsed by Medicare."

If your Social Security card is lost or stolen, visit the www.socialsecurity.gov site. If you suspect or experience medicare fraud, report it to the Office of Inspector General as soon as possible. You can also report Medicare fraud at the Medicare.gov site.

Survey: 5.8% Of US Adults Have Been Medical Identity Theft Vitims

Identity thieves want far more than your credit card, debit card, and bank account information. They want your medical information. Why? For a variety of reasons, one of which I covered in yesterday's blog post. Another reason is to sell stolen medical information to others to get free health care they don't have access to otherwise.

ComputerWorld reported the results of recent survey about medical identity theft:

"Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160... "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss identity theft in general. Among those surveyed, 5.8% provided specific details about how they had been hit by medical ID theft, in particular."

Medical identity theft is defined as when another person uses stolen medical insurance information to acquire health care goods and services. Some key statistics from the survey:

"29% of victims of medical ID theft discovered the problem a year after the incident, and 21% said it took two or more years to learn about it... Nearly half of the victims (48%) lost coverage due to medical ID theft. Roughly 75% found resolution difficult, and only about 25% said there were no consequences due to the theft... 46% did not report the incident to law enforcement or other legal authorities... and 33% said the medical ID theft occurred because a family member used their medical ID for goods and services without their knowledge."

So, consumers should protect their medical insurance cards just as you would protect your debit/credit cards.

Florida Couple Return To Identity Theft

When law enforcement catches identity thieves and fraudsters, I like to acknowledge it.

Yet, some identity criminals never seem to learn. The Miami Herald reported:

"Last year, they were charged with running a racket to pilfer patient records from Jackson Memorial Hospital to sell to lawyers for personal-injury claims. Now Ruben E. Rodriguez and wife Maria Victoria Suarez have been indicted again for paying an ambulance-company employee to steal information on patients transported to Miami-Dade hospitals and healthcare clinics. That theft scheme dates all the way back to 1995, according to an indictment filed last week. In both federal cases, the Coral Gables couple are accused of brokering the stolen computer records of patients' names, addresses, telephone numbers and medical diagnoses to several attorneys in exchange for kickback payments. The lawyers paid them hundreds of thousands of dollars for the referrals after settling injury claims, authorities say... According to court records in the JMH case, one unidentified personal-injury attorney wrote 27 checks totaling $85,250 to a shell company incorporated by Rodriguez as kickback payments for the patient referrals between 2006 and 2009."

Hopefully, this couple -- and the lawyers that facilitated this scam -- will all be off to jail for a long time. And, I hope that the newspaper and the prosecutors publish the full list of attorneys and health care workers involved.

Beware Of Phishing Emails About Fake CDC Flu Vaccination Registrations

An important notice for consumers so you do not get "mugged" during the flu season. The Centers For Disease Control published an advisory for consumers:

"CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program. The messages request that users must create a personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The message then states that anyone that has reached the age of 18 has to have his/her personal Vaccination Profile on the cdc.gov site. The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. Users that click on the email are at risk of having malicious code installed on their system."

Learn how to recognize a phishing e-mail message and a phishing web site. Or, read this blog post.

How To Check Your Insurance Company's Complaint Record

Everyone has horror stories about insurance companies, whether its auto insurance, health insurance, homeowners, or property insurance. There's a good article at Kiplinger.com that has documented the leading ways insurance companies "mug" or abuse their customers:

"... the top complaint had to do with claims payments -- claims-handling delays (19.1%), followed by denial of claims (17.9%) and unsatisfactory settlement offers (15.0%). You should be concerned if a company you're considering has a lot of complaints in these areas. The next category of complaints revolves around underwriting -- the insurer's process of accepting or rejecting applicants and setting rates. Premium and rating accounted for 4.8% of the complaints, and policy cancellation for 4.2%. The type of insurance policyholders had the most complaints about was accident and health insurance (37.7%), followed closely by auto insurance (33.7%). There were fewer complaints about homeowners insurance (12.71%) and life insurance and annuities (10.4%)."

Maybe you are looking for a new insurance company, or just curious about your current provider. To check an insurance company's complaint record, visit the Consumer Information Source Web site produced by the National Association of Insurance Commissioners (NAIC). Then:

"Type in the name of the company, the state where you live and the type of insurance. (Under "statement type" and "business type," click on "property/casualty" for home and auto insurance or "life, accident and health.") The site then provides the insurer's national complaint statistics. Focus on the complaint ratio, which shows the ratio of the company's U.S. market share of complaints to the company's U.S. market share of premiums for a specific policy type... If the national median complaint ratio is 1.00 and the ratio for the company you're considering is 2.00, for example, that should be a red flag. Also look at the complaint trend report to see whether the company's complaints have been increasing or decreasing over time. If the insurer's complaint ratio is high, check its record at your state insurance department and find out whether any enforcement actions have been taken against the insurer."

To find your state government's insurance department, browse this NAIC Web page with a map of insurance commissioners by state. Both links are great resources, whether you are happy with your current insurance company or looking for a new one.

An Example of Insider Medical Identity Theft

From the Billings, Montana Gazette:

"A 33-year-old Columbia Falls woman has been sentenced to two years in prison and ordered to pay more than $18,700 in restitution for her role in an identity theft case... Prosecutors say [Andrea] Mackowiak took names, Social Security numbers and dates of birth from patient account records at a clinic and gave the information to a person in Washington state. That person used the information to set up Qwest telephone accounts that were used by prison inmates."

Thanks to local law enforcement that this identity criminal was caught and prosecuted.

After 35 Years, Oregon ID-Theft Victim Happy With Arrest

This Forbes magazine story is a reminder that identity criminals will use stolen data as long as they can get away with it:

"An Oregon man who was the victim of a 35-year-long identity theft said Thursday he's so happy about an arrest in the case... Tom Lesh, 66, said he's known since the 1970s that his brother's friend stole his identity, and he appealed to everyone from the IRS to the suspect's own mother for help - to no avail. As the decades wore on, he said, he spent "thousands of hours" writing letters to credit card companies, banks, insurance companies and government agencies, trying to clear his name..."

This year, a Premera Blue Cross insurance fraud investigator named Sandy Larson started investigating and contacted Lavelle, a special agent with the Social Security Administration's Office of the Inspector General:

"... Lavelle tracked down the suspect, a 58-year-old truck driver whose real name is Clark Mower, and arrested him Wednesday near his Seattle home. He was charged in U.S. District Court in Seattle with aggravated identity theft, Social Security number misuse and unlawful production of an ID."

In my mind, restitution and prison time are appropriate. This incident offers several reminders:

• Companies must investigate ID-theft and medical ID-theft compalints
• Inisder identity theft can often include relatives and "friends"
• The SSA offers instructions for consumers to report fraud
• A one- or two year-offer of free credit monitoring by companies after a data breach is woefully too short and insufficient.

Medical ID-Theft, Extortion, Credit Monitoring Services, and The State of Identity Protection

I try really hard in this blog to highlight the implications of things. Often, there are consequences for consumers. Sometimes the consequences are obvious and immediate. Sometimes they are not.

Perhaps you heard about a recent data breach at the Virginia Department of Health Professions. After stealing over 8 million consumers' health records, identity thieves demanded a $10 million ransom payment for the return of the stolen information. InformationWeek reported:

"An extortion demand posted on WikiLeaks seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions... The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup."

The thieves threatened to sell the stolen data on the black market, if they don't receive payment by the deadline... presumably Thursday May 7.

You probably read this and said to yourself, "No problem. I don't live in Virginia, so my data wasn't stolen." Well there is a big problem.

First, there have been prior cases of medical identity theft and extortion. One consequence for consumers: identity thieves have targeted consumers' medical records. Experts estimated that about 3% of all health care spending is lost to medical fraud.

Identity thieves will steal consumers' medical information to either use themselves, or to resell to others. The sad fact: your medical information has value to people who want medical care and don't want to pay for it. So, using another person's stolen identity is a way to get free medical care.

In his Identity Theft and Business blog, John Taylor described the consequences for medical identity theft and fraud victims:

"When my medical records are stolen and used for cash, or I can no longer get health insurance because my records have been corrupted and claims are made against my policy... what will Todd Davis of Lifelock, or Bo Holland of Debix, or Daryl Yurek of ID Watchdog do to help me? Will they provide me with ready access to attorneys who will represent me as a victim of Medical identity theft? Will they help me to sort out my records for accuracy, and help to amend my insurance data, and help to remove false claims from my records. Will they provide any assistance whatsoever for medical records fraud or theft, or ransom?"

An implication for consumers: these are questions consumers should ask themselves now. If your medical records are stolen, how will you fix the damage done by identity thieves? Fixing the damage is a lot more complicated and longer than getting a replacement credit card after credit card fraud.

This is a poor way to operate the health care industry.

Another implication for consumers: know the gaps that exist. Most identity protection companies have done a lot to help consumers protect their credit reports, but haven't done much to protect medical information. This also applies to the three major credit reporting agencies: Equifax, Experian, and TransUnion. They are no better, since they have focused only on protecting credit reports. That's why their services are called credit monitoring services and not identity protection services.

This is a poor way to operate an identity protection industry.

Another implication for consumers: the companies that sell C.L.U.E. insurance reports to other companies have done no better either. Read my prior posts about insurance reports and Choicepoint, which offers Security Freezes in only 8 states and not nationwide like the major credit reporting agencies. That's another gap in consumers' identity protection.

This is a poor way to operate an insurance industry.

It was just last month that the U.S. Federal Trade Commission (FTC):

"... announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached. The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information."

Yes, you read that correctly. The FTC is still discussing laws to require companies to notify consumers when their medical information is stolen/lost. And, the FTC doesn't expect to finish until February 2010. Faster action by government is required. Identity thieves aren't waiting, and many states have had breach notification laws (for other types of consumer information) in place for the past five years or so.

If this state of affairs bothers you (and I sincerely hope that it does), I encourage you learn more about medical identity theft. Then, contact your elected officials in Congress and demand consistent consumer protection and notification across credit reports, insurance reports, and medical information. When you visit your doctor or HMO, ask them what they are doing to protect your sensitive personal data. Also demand a printed copy of their data security policy.

Since I have started this blog, I have searched for a truly comprehensive identity protection service, which should include:

• Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
• Unlimited access to the full text of all of my C.L.U.E. insurance reports
• Unlimited access to the full text of all of my sensitive personal medical information
• Monitoring of my identity across social networking sites
• Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
• Tools and calculators to help me evaluate these reports
• The ability for to customize alerts based on my individual needs
• Options to add Fraud Alerts to any or all of the above reports
• Options to add Security Freezes to any or all of the above reports
• Criminal fraud monitoring (if my identity is used by thieves during a crime)
• Identity fraud assistance when traveling outside the USA
• Identity resolution services and insurance for all of the above reports
• 24/7, and easy access to a real person in customer service via phone
• Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. It shouldn't be this hard.

So, as far as I can tell a truly comprehensive identity protection service doesn't exist. When it does, I will be happy to subscribe.